CVE-2011-2082Request-tracker4 vulnerability

7 documents5 sources
Severity
5.0MEDIUMNVD
OSV4.3
EPSS
0.4%
top 41.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian Request-tracker4Bestpractical RT
Timeline
PublishedJun 4
Latest updateMay 17

Description

The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the database. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0009.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

NVDbestpractical/rt83 versions+82
debiandebian/request-tracker4< request-tracker4 4.0.5-3 (bookworm)

Patches

Patch: lists.bestpractical.comPatch: lists.bestpractical.comPatch: lists.bestpractical.com

🔴Vulnerability Details

2
GHSA
GHSA-pxc3-v4rj-fc78: The vulnerable-passwords script in Best Practical Solutions RT 32022-05-17
OSV
CVE-2011-2082: The vulnerable-passwords script in Best Practical Solutions RT 32012-06-04

📋Vendor Advisories

1
Debian
CVE-2011-2082: request-tracker4 - The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12...2011

💬Community

3
Bugzilla
rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions2012-05-22
Bugzilla
CVE-2011-2082 rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions [epel-all]2012-05-22
Bugzilla
CVE-2011-2082 rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions [fedora-all]2012-05-22
CVE-2011-2082 — Debian Request-tracker4 vulnerability | cvebase