Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:442595
HistoryJun 07, 2012 - 12:00 a.m.

ScrumWorks Pro privilege escalation vulnerability

2012-06-0700:00:00
www.kb.cert.org
17

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

59.9%

JSON

Overview

ScrumWorks Pro versions prior to ScrumWorks Pro 6.0 contain a privilege escalation vulnerability.

Description

ScrumWorks Pro versions prior to ScrumWorks Pro 6.0 contain a privilege escalation vulnerability where a malicious user can escalate the privileges of their ScrumWorks Pro account by recompiling the desktop client. When exploited, a malicious user could grant themselves ScrumWorks Pro privileges and access information to which they would otherwise be unable to access.

Impact

A malicious user can escalate the privileges of their ScrumWorks Pro account by recompiling the desktop client.

Solution

Update

CollabNet has stated:_ CollabNet has addressed this problem in release 6.0 such that a modified client is no longer effective in escalating permissions. Note for all versions of ScrumWorks Pro, this security issue does not compromise the security of the underlying host operating system and that a modified client does not negate the need for a valid username and password. Further, all activities by modified clients are still logged in the server.log file._

Vendor Information

442595

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

CollabNet __ Affected

Notified: February 16, 2012 Updated: May 31, 2012

Status

Affected

Vendor Statement

CollabNet has addressed this problem in release 6.0 such that a modified client is no longer effective in escalating permissions. Note for all versions of ScrumWorks Pro, this security issue does not compromise the security of the underlying host operating system and that a modified client does not negate the need for a valid username and password. Further, all activities by modified clients are still logged in the server.log file.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 5.6 AV:N/AC:H/Au:S/C:C/I:P/A:N
Temporal 4.4 E:POC/RL:OF/RC:C
Environmental 1.2 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

<http://www.collab.net/products/scrumworks&gt;

Acknowledgements

Thanks to Wolfgang Holoch and David Elze of Daimler TSS GmbH for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-2603
Date Public: 2012-06-04 Date First Published:

Related

cve 1
prion 1
nvd 1
cvelist 1
cve
cve
CVE-2012-2603
2022-10-03 16:15:37
prion
prion
Design/Logic Flaw
2012-06-08 16:55:00
nvd
nvd
CVE-2012-2603
2012-06-08 16:55:00
cvelist
cvelist
CVE-2012-2603
2022-10-03 16:15:37

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

59.9%

JSON
Related for VU:442595
cve1prion1nvd1cvelist1