Vulnerability CVE-2013-4429 - CERT Civis.Net

Vulnerability Name:

CVE-2013-4429 (CCN-88082)

Assigned:

2013-10-15

Published:

2013-10-15

Updated:

2014-05-19

Summary:

Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 does not properly restrict access to artefacts, which allows remote authenticated users to read arbitrary artefacts via the (1) artefact id in an upload action when creating a journal or (2) instconf_artefactid_selected[ID] parameter in an upload action when editing a block.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2013-4429

Source: CCN
Type: oss-sec Mailing List, Tue, 15 Oct 2013 23:50:47 -0600
Re: Re: CVE request: mahara 1.7.3

Source: MLIST
Type: UNKNOWN
[oss-security] 20131008 CVE request: mahara 1.7.3

Source: MLIST
Type: UNKNOWN
[oss-security] 20131015 Re: CVE request: mahara 1.7.3

Source: MLIST
Type: UNKNOWN
[oss-security] 20131015 Re: Re: CVE request: mahara 1.7.3

Source: CCN
Type: BID-62862
Mahara Multiple Security Bypass Vulnerabilities

Source: CONFIRM
Type: UNKNOWN
https://bugs.launchpad.net/mahara/+bug/1211758

Source: XF
Type: UNKNOWN
mahara-cve20134429-security-bypass(88082)

Source: CCN
Type: Mahara Web site
Home - Mahara ePortfolio System

Source: CONFIRM
Type: UNKNOWN
https://mahara.org/interaction/forum/topic.php?id=5753

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-4429

Vulnerable Configuration:

Configuration 1:

cpe:/a:mahara:mahara:1.5:rc1:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5:rc2:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.0:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.1:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.2:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.3:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.4:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.6:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.7:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.8:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.9:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.10:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:*:*:*:*:*:*:*:* (Version <= 1.5.11)

Configuration 2:

cpe:/a:mahara:mahara:1.7:rc1:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.7.0:-:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.7.1:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.7.2:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:mahara:mahara:1.6.0:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.6.1:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.6.2:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.6.3:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.6.4:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.6.5:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.6.6:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mahara:mahara:1.5.11:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.6.6:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.7.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.precise:def:20134429000	V	CVE-2013-4429 on Ubuntu 12.04 LTS (precise) - medium.	2014-05-19