Lucene search

[email protected]CVE-2011-1007

HistoryFeb 28, 2011 - 4:00 p.m.

CVE-2011-1007

2011-02-2816:00:01

CWE-255

[email protected]

web.nvd.nist.gov

cve-2011-1007

credential theft

web security

rt 3.8.9

nvd

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

6.5 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

65.7%

JSON

Best Practical Solutions RT before 3.8.9 does not perform certain redirect actions upon a login, which allows physically proximate attackers to obtain credentials by resubmitting the login form via the back button of a web browser on an unattended workstation after an RT logout.

Affected configurations

NVD

Node

bestpracticalrtRange≤3.8.9rc3

bestpracticalrtMatch1.0.0

bestpracticalrtMatch1.0.1

bestpracticalrtMatch1.0.2

bestpracticalrtMatch1.0.3

bestpracticalrtMatch1.0.4

bestpracticalrtMatch1.0.5

bestpracticalrtMatch1.0.6

bestpracticalrtMatch1.0.7

bestpracticalrtMatch2.0.0

bestpracticalrtMatch2.0.1

bestpracticalrtMatch2.0.2

bestpracticalrtMatch2.0.3

bestpracticalrtMatch2.0.4

bestpracticalrtMatch2.0.5

bestpracticalrtMatch2.0.5.1

bestpracticalrtMatch2.0.5.3

bestpracticalrtMatch2.0.6

bestpracticalrtMatch2.0.7

bestpracticalrtMatch2.0.8

bestpracticalrtMatch2.0.8.2

bestpracticalrtMatch2.0.9

bestpracticalrtMatch2.0.11

bestpracticalrtMatch2.0.12

bestpracticalrtMatch2.0.13

bestpracticalrtMatch2.0.14

bestpracticalrtMatch2.0.15

bestpracticalrtMatch3.0.0

bestpracticalrtMatch3.0.1

bestpracticalrtMatch3.0.2

bestpracticalrtMatch3.0.3

bestpracticalrtMatch3.0.4

bestpracticalrtMatch3.0.5

bestpracticalrtMatch3.0.6

bestpracticalrtMatch3.0.7

bestpracticalrtMatch3.0.7.1

bestpracticalrtMatch3.0.8

bestpracticalrtMatch3.0.9

bestpracticalrtMatch3.0.10

bestpracticalrtMatch3.0.11

bestpracticalrtMatch3.0.12

bestpracticalrtMatch3.2.0

bestpracticalrtMatch3.2.1

bestpracticalrtMatch3.2.2

bestpracticalrtMatch3.2.3

bestpracticalrtMatch3.4.0

bestpracticalrtMatch3.4.1

bestpracticalrtMatch3.4.2

bestpracticalrtMatch3.4.3

bestpracticalrtMatch3.4.4

bestpracticalrtMatch3.4.5

bestpracticalrtMatch3.4.6

bestpracticalrtMatch3.6.0

bestpracticalrtMatch3.6.1

bestpracticalrtMatch3.6.2

bestpracticalrtMatch3.6.3

bestpracticalrtMatch3.6.4

bestpracticalrtMatch3.6.5

bestpracticalrtMatch3.6.6

bestpracticalrtMatch3.6.7

bestpracticalrtMatch3.6.8

bestpracticalrtMatch3.6.9

bestpracticalrtMatch3.8.0

bestpracticalrtMatch3.8.1

bestpracticalrtMatch3.8.2

bestpracticalrtMatch3.8.3

bestpracticalrtMatch3.8.4

bestpracticalrtMatch3.8.5

bestpracticalrtMatch3.8.6

bestpracticalrtMatch3.8.6rc1

bestpracticalrtMatch3.8.7rc1

bestpracticalrtMatch3.8.8rc2

bestpracticalrtMatch3.8.8rc3

bestpracticalrtMatch3.8.8rc4

bestpracticalrtMatch3.8.9rc1

bestpracticalrtMatch3.8.9rc2

CPENameOperatorVersion
bestpractical:rtbestpractical rtle3.8.9
bestpractical:rtbestpractical rteq1.0.0
bestpractical:rtbestpractical rteq1.0.1
bestpractical:rtbestpractical rteq1.0.2
bestpractical:rtbestpractical rteq1.0.3
bestpractical:rtbestpractical rteq1.0.4
bestpractical:rtbestpractical rteq1.0.5
bestpractical:rtbestpractical rteq1.0.6
bestpractical:rtbestpractical rteq1.0.7
bestpractical:rtbestpractical rteq2.0.0

CPE	Name	Operator	Version
bestpractical:rt	bestpractical rt	le	3.8.9
bestpractical:rt	bestpractical rt	eq	1.0.0
bestpractical:rt	bestpractical rt	eq	1.0.1
bestpractical:rt	bestpractical rt	eq	1.0.2
bestpractical:rt	bestpractical rt	eq	1.0.3
bestpractical:rt	bestpractical rt	eq	1.0.4
bestpractical:rt	bestpractical rt	eq	1.0.5
bestpractical:rt	bestpractical rt	eq	1.0.6
bestpractical:rt	bestpractical rt	eq	1.0.7
bestpractical:rt	bestpractical rt	eq	2.0.0

Rows per page:

1-10 of 711

References

bugs.debian.org/cgi-bin/bugreport.cgi?bug=614575

issues.bestpractical.com/Ticket/Display.html?id=15804

lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html

openwall.com/lists/oss-security/2011/02/22/12

openwall.com/lists/oss-security/2011/02/22/16

openwall.com/lists/oss-security/2011/02/22/6

openwall.com/lists/oss-security/2011/02/23/22

openwall.com/lists/oss-security/2011/02/24/7

openwall.com/lists/oss-security/2011/02/24/8

openwall.com/lists/oss-security/2011/02/24/9

osvdb.org/71012

secunia.com/advisories/43438

www.vupen.com/english/advisories/2011/0475

exchange.xforce.ibmcloud.com/vulnerabilities/65771

github.com/bestpractical/rt/commit/057552287159e801535e59b8fbd5bd98d1322069

github.com/bestpractical/rt/commit/917c211820590950f7eb0521f7f43b31aeed44c4

lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

6.5 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

65.7%

JSON

Related for CVE-2011-1007

nvd1 ubuntucve1 prion1 cvelist1 nessus1 openvas2