Lucene search
HistoryJan 25, 2011 - 7:00 p.m.
CVE-2011-0009
best practical solutions
rt 3.x
rt 4.x
md5 algorithm
password hashes
nvd
cve-2011-0009
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
6.3 Medium
AI Score
Confidence
Low
0.004 Low
EPSS
Percentile
74.9%
Best Practical Solutions RT 3.x before 3.8.9rc2 and 4.x before 4.0.0rc4 uses the MD5 algorithm for password hashes, which makes it easier for context-dependent attackers to determine cleartext passwords via a brute-force attack on the database.
Affected configurations
Node
bestpracticalrtRange≤3.8.9rc1
ORbestpracticalrtMatch3.0.0
ORbestpracticalrtMatch3.0.1
ORbestpracticalrtMatch3.0.2
ORbestpracticalrtMatch3.0.3
ORbestpracticalrtMatch3.0.4
ORbestpracticalrtMatch3.0.5
ORbestpracticalrtMatch3.0.6
ORbestpracticalrtMatch3.0.7
ORbestpracticalrtMatch3.0.7.1
ORbestpracticalrtMatch3.0.8
ORbestpracticalrtMatch3.0.9
ORbestpracticalrtMatch3.0.10
ORbestpracticalrtMatch3.0.10pre1
ORbestpracticalrtMatch3.0.10pre2
ORbestpracticalrtMatch3.0.10rc1
ORbestpracticalrtMatch3.0.11
ORbestpracticalrtMatch3.0.11rc2
ORbestpracticalrtMatch3.0.11rc3
ORbestpracticalrtMatch3.0.11rc4
ORbestpracticalrtMatch3.0.12
ORbestpracticalrtMatch3.1.2
ORbestpracticalrtMatch3.1.3
ORbestpracticalrtMatch3.1.4
ORbestpracticalrtMatch3.1.5
ORbestpracticalrtMatch3.1.6
ORbestpracticalrtMatch3.1.7
ORbestpracticalrtMatch3.1.8
ORbestpracticalrtMatch3.1.10
ORbestpracticalrtMatch3.1.11
ORbestpracticalrtMatch3.1.12
ORbestpracticalrtMatch3.1.13
ORbestpracticalrtMatch3.1.14
ORbestpracticalrtMatch3.1.15
ORbestpracticalrtMatch3.1.16
ORbestpracticalrtMatch3.1.17
ORbestpracticalrtMatch3.2.0
ORbestpracticalrtMatch3.2.0rc1
ORbestpracticalrtMatch3.2.0rc2
ORbestpracticalrtMatch3.2.0rc3
ORbestpracticalrtMatch3.2.0rc4
ORbestpracticalrtMatch3.2.1
ORbestpracticalrtMatch3.2.1rc1
ORbestpracticalrtMatch3.2.1rc2
ORbestpracticalrtMatch3.2.1rc3
ORbestpracticalrtMatch3.2.1rc4
ORbestpracticalrtMatch3.2.2
ORbestpracticalrtMatch3.2.2rc1
ORbestpracticalrtMatch3.2.3
ORbestpracticalrtMatch3.2.3rc1
ORbestpracticalrtMatch3.2.3rc2
ORbestpracticalrtMatch3.4.0
ORbestpracticalrtMatch3.4.0rc1
ORbestpracticalrtMatch3.4.0rc2
ORbestpracticalrtMatch3.4.0rc3
ORbestpracticalrtMatch3.4.0rc4
ORbestpracticalrtMatch3.4.0rc5
ORbestpracticalrtMatch3.4.0rc6
ORbestpracticalrtMatch3.4.1
ORbestpracticalrtMatch3.4.2
ORbestpracticalrtMatch3.4.2rc1
ORbestpracticalrtMatch3.4.2rc2
ORbestpracticalrtMatch3.4.3
ORbestpracticalrtMatch3.4.3rc1
ORbestpracticalrtMatch3.4.3rc2
ORbestpracticalrtMatch3.4.4
ORbestpracticalrtMatch3.4.4pre1
ORbestpracticalrtMatch3.4.4pre2
ORbestpracticalrtMatch3.4.4pre3
ORbestpracticalrtMatch3.4.5
ORbestpracticalrtMatch3.4.5pre1
ORbestpracticalrtMatch3.4.5rc1
ORbestpracticalrtMatch3.4.5rc2
ORbestpracticalrtMatch3.4.6
ORbestpracticalrtMatch3.4.6rc1
ORbestpracticalrtMatch3.4.6rc2
ORbestpracticalrtMatch3.4.7rc1
ORbestpracticalrtMatch3.5.1
ORbestpracticalrtMatch3.5.2
ORbestpracticalrtMatch3.5.3
ORbestpracticalrtMatch3.5.4
ORbestpracticalrtMatch3.5.5
ORbestpracticalrtMatch3.5.6
ORbestpracticalrtMatch3.5.7
ORbestpracticalrtMatch3.6.0
ORbestpracticalrtMatch3.6.0pre0
ORbestpracticalrtMatch3.6.0pre1
ORbestpracticalrtMatch3.6.0rc1
ORbestpracticalrtMatch3.6.0rc2
ORbestpracticalrtMatch3.6.0rc3
ORbestpracticalrtMatch3.6.1
ORbestpracticalrtMatch3.6.1pre2
ORbestpracticalrtMatch3.6.1rc1
ORbestpracticalrtMatch3.6.1rc2
ORbestpracticalrtMatch3.6.2
ORbestpracticalrtMatch3.6.2rc1
ORbestpracticalrtMatch3.6.2rc3
ORbestpracticalrtMatch3.6.2rc4
ORbestpracticalrtMatch3.6.2rc5
ORbestpracticalrtMatch3.6.3
ORbestpracticalrtMatch3.6.3rc1
ORbestpracticalrtMatch3.6.3rc2
ORbestpracticalrtMatch3.6.3rc3
ORbestpracticalrtMatch3.6.3rc4
ORbestpracticalrtMatch3.6.4
ORbestpracticalrtMatch3.6.4rc1
ORbestpracticalrtMatch3.6.4rc2
ORbestpracticalrtMatch3.6.5
ORbestpracticalrtMatch3.6.5rc1
ORbestpracticalrtMatch3.6.5rc2
ORbestpracticalrtMatch3.6.6
ORbestpracticalrtMatch3.6.6rc1
ORbestpracticalrtMatch3.6.6rc2
ORbestpracticalrtMatch3.6.6rc3
ORbestpracticalrtMatch3.6.7
ORbestpracticalrtMatch3.6.8
ORbestpracticalrtMatch3.6.9
ORbestpracticalrtMatch3.7.1
ORbestpracticalrtMatch3.7.5
ORbestpracticalrtMatch3.7.80
ORbestpracticalrtMatch3.7.85
ORbestpracticalrtMatch3.7.86
ORbestpracticalrtMatch3.8.0
ORbestpracticalrtMatch3.8.0rc1
ORbestpracticalrtMatch3.8.0rc2
ORbestpracticalrtMatch3.8.0rc3
ORbestpracticalrtMatch3.8.1
ORbestpracticalrtMatch3.8.1rc1
ORbestpracticalrtMatch3.8.1rc2
ORbestpracticalrtMatch3.8.1rc3
ORbestpracticalrtMatch3.8.1rc4
ORbestpracticalrtMatch3.8.1rc5
ORbestpracticalrtMatch3.8.2
ORbestpracticalrtMatch3.8.2rc1
ORbestpracticalrtMatch3.8.2rc2
ORbestpracticalrtMatch3.8.3
ORbestpracticalrtMatch3.8.3rc1
ORbestpracticalrtMatch3.8.3rc2
ORbestpracticalrtMatch3.8.4
ORbestpracticalrtMatch3.8.4rc1
ORbestpracticalrtMatch3.8.5
ORbestpracticalrtMatch3.8.6
ORbestpracticalrtMatch3.8.6rc1
ORbestpracticalrtMatch3.8.7rc1
ORbestpracticalrtMatch3.8.8rc2
ORbestpracticalrtMatch3.8.8rc3
ORbestpracticalrtMatch3.8.8rc4
Node
bestpracticalrtMatch4.0.0rc1
ORbestpracticalrtMatch4.0.0rc2
ORbestpracticalrtMatch4.0.0rc3
References
bugs.debian.org/cgi-bin/bugreport.cgi?bug=610850
lists.bestpractical.com/pipermail/rt-announce/2011-January/000185.html
lists.fedoraproject.org/pipermail/package-announce/2011-March/054740.html
osvdb.org/70661
secunia.com/advisories/43438
www.debian.org/security/2011/dsa-2150
www.securityfocus.com/bid/45959
www.vupen.com/english/advisories/2011/0190
www.vupen.com/english/advisories/2011/0475
www.vupen.com/english/advisories/2011/0576
bugzilla.redhat.com/show_bug.cgi?id=672250
lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
Related
nessus
nessus
Fedora 15 : rt3-3.8.9-1.fc15 (2011-1677)
2011-03-03 00:00:00
Debian DSA-2150-1 : request-tracker3.6 - unsalted password hashing
2011-01-25 00:00:00
Debian DSA-2480-4 : request-tracker3.8 - several vulnerabilities
2012-06-29 00:00:00
openvas
openvas
Request Tracker Password Information Disclosure Vulnerability
2011-01-24 00:00:00
Debian Security Advisory DSA 2150-1 (request-tracker3.6)
2011-03-07 00:00:00
Request Tracker Password Information Disclosure Vulnerability
2011-01-24 00:00:00
fedora
fedora
[SECURITY] Fedora 15 Update: rt3-3.8.9-1.fc15
2011-03-03 03:21:54
prion
prion
Default credentials
2011-01-25 19:00:00
Design/Logic Flaw
2012-06-04 19:55:00
debian
debian
[BSA-022] Security Update for request-tracker3.8
2011-01-24 07:22:34
[SECURITY] [DSA 2150-1] request-tracker3.6 security update
2011-01-22 11:13:26
[SECURITY] [DSA 2480-1] request-tracker3.8 security update
2012-05-24 17:37:03
ubuntucve
ubuntucve
CVE-2011-0009
2011-01-25 00:00:00
CVE-2011-2082
2012-06-04 00:00:00
securityvulns
securityvulns
[SECURITY] [DSA 2150-1] request-tracker3.6 security update
2011-01-24 00:00:00
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2011-01-24 00:00:00
[SECURITY] [DSA 2480-1] request-tracker3.8 security update
2012-06-03 00:00:00
cvelist
cvelist
CVE-2011-0009
2011-01-25 18:00:00
CVE-2011-2082
2012-06-04 19:00:00
nvd
nvd
CVE-2011-0009
2011-01-25 19:00:03
CVE-2011-2082
2012-06-04 19:55:01
cve
cve
CVE-2011-2082
2012-06-04 19:55:01
debiancve
debiancve
CVE-2011-2082
2012-06-04 19:55:01
freebsd
freebsd
RT -- Multiple Vulnerabilities
2012-05-22 00:00:00
osv
osv
request-tracker3.8 - regression
2012-09-15 00:00:00
request-tracker3.8 - several
2012-09-15 00:00:00
request-tracker3.8 - regression
2012-09-15 00:00:00
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
6.3 Medium
AI Score
Confidence
Low
0.004 Low
EPSS
Percentile
74.9%
Related for CVE-2011-0009