CVE-2011-0009 — Request-tracker4 vulnerability

CWE-31011 documents6 sources

Severity

5.0MEDIUMNVD

NVD4.3OSV4.3

EPSS

0.8%

top 25.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Request-tracker4 Bestpractical RT

Timeline

PublishedJan 25

Latest updateMay 17

Description

Best Practical Solutions RT 3.x before 3.8.9rc2 and 4.x before 4.0.0rc4 uses the MD5 algorithm for password hashes, which makes it easier for context-dependent attackers to determine cleartext passwords via a brute-force attack on the database.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDbestpractical/rt3.8.9+83

▶debiandebian/request-tracker4< request-tracker4 4.0.5-3 (bookworm)

Patches

Patch: bugs.debian.org ↗Patch: lists.bestpractical.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-pxc3-v4rj-fc78: The vulnerable-passwords script in Best Practical Solutions RT 3↗2022-05-17

▶

GHSA

GHSA-297v-jphp-x99g: Best Practical Solutions RT 3↗2022-05-03

▶

OSV

CVE-2011-2082: The vulnerable-passwords script in Best Practical Solutions RT 3↗2012-06-04

▶

📋Vendor Advisories

Debian

CVE-2011-2082: request-tracker4 - The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12...↗2011

▶

💬Community

Bugzilla

rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions↗2012-05-22

▶

Bugzilla

CVE-2011-0009 CVE-2011-1008 CVE-2011-1007 rt3 various flaws [epel-6]↗2011-02-24

▶

Bugzilla

CVE-2011-0009 RT3: Insecure hashing algorithm used for storage of user passwords [fedora-all]↗2011-01-24

▶

Bugzilla

CVE-2011-0009 RT3: Insecure hashing algorithm used for storage of user passwords↗2011-01-24

▶