CVE-2011-2082
published 2012-06-04CVE-2011-2082: The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled…
PriorityP422medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
1.19%
64.1th percentile
The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the database. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0009.
Affected
84 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pxc3-v4rj-fc78: The vulnerable-passwords script in Best Practical Solutions RT 3
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2011-2082 [MEDIUM] GHSA-pxc3-v4rj-fc78: The vulnerable-passwords script in Best Practical Solutions RT 3
The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the database. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0009.
OSV
CVE-2011-2082: The vulnerable-passwords script in Best Practical Solutions RT 3
osv·2012-06-04·CVSS 4.3
CVE-2011-2082 [MEDIUM] CVE-2011-2082: The vulnerable-passwords script in Best Practical Solutions RT 3
The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the database. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0009.
Debian
CVE-2011-2082: request-tracker4 - The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12...
vendor_debian·2011·CVSS 4.3
CVE-2011-2082 [MEDIUM] CVE-2011-2082: request-tracker4 - The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12...
The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the database. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0009.
Scope: local
bookworm: resolved (fixed in 4.0.5-3)
bullseye: resolved (fixed in 4.0.5-3)
sid: resolved (fixed in 4.0.5-3)
No detection rules found.
No public exploits indexed.
Bugzilla
rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions
bugzilla·2012-05-22·CVSS 4.3
CVE-2011-0009 [MEDIUM] rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions
rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions
Request Tracker (RT) upstream has announced upstream v3.8.12 and v4.0.6 versions:
http://blog.bestpractical.com/2012/05/security-vulnerabilities-in-rt.html
correcting the following security flaws:
The previously released tool to upgrade weak password hashes as part of CVE-2011-0009 was an incomplete fix and failed to upgrade passwords of disabled users. This release includes an updated version of the vulnerable-passwords tool, which should be run again to upgrade the remaining password hashes. CVE-2011-2082 is assigned to this vulnerability.
RT versions 3.0 and above contain a number of cross-site scripting (XSS) vulnerabilities which allow an attacker to run JavaScript with the user's credentials. CVE-2011-2083
Bugzilla
CVE-2011-2082 rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions [epel-all]
bugzilla·2012-05-22·CVSS 5.0
CVE-2011-2082 [MEDIUM] CVE-2011-2082 rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions [epel-all]
CVE-2011-2082 rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/upd
Bugzilla
CVE-2011-2082 rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions [fedora-all]
bugzilla·2012-05-22·CVSS 5.0
CVE-2011-2082 [MEDIUM] CVE-2011-2082 rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions [fedora-all]
CVE-2011-2082 rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/u
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.htmlhttp://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.htmlhttp://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.htmlhttp://secunia.com/advisories/49259http://www.securityfocus.com/bid/53660http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.htmlhttp://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.htmlhttp://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.htmlhttp://secunia.com/advisories/49259http://www.securityfocus.com/bid/53660
2012-06-04
Published