CVE-2011-4458 — Code Injection in Request-tracker4

CWE-94 — Code Injection10 documents5 sources

Severity

7.5HIGHNVD

NVD6.8NVD6.5OSV6.8

EPSS

1.5%

top 18.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Request-tracker4 Bestpractical RT

Timeline

PublishedJun 4

Latest updateMay 17

Description

Best Practical Solutions RT 3.6.x, 3.7.x, and 3.8.x before 3.8.12 and 4.x before 4.0.6, when the VERPPrefix and VERPDomain options are enabled, allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-5092 and CVE-2011-5093.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶NVDbestpractical/rt83 versions+82

▶debiandebian/request-tracker4< request-tracker4 4.0.5-3 (bookworm)

Patches

Patch: lists.bestpractical.com ↗Patch: lists.bestpractical.com ↗Patch: lists.bestpractical.com ↗

🔴Vulnerability Details

GHSA

GHSA-jv9v-724f-v2g6: Best Practical Solutions RT 3↗2022-05-17

▶

GHSA

GHSA-397q-whxp-h2p3: Best Practical Solutions RT 3↗2022-05-17

▶

GHSA

GHSA-3hp8-xj8q-7jfq: Best Practical Solutions RT 4↗2022-05-17

▶

OSV

CVE-2011-4458: Best Practical Solutions RT 3↗2012-06-04

▶

📋Vendor Advisories

Debian

CVE-2011-4458: request-tracker4 - Best Practical Solutions RT 3.6.x, 3.7.x, and 3.8.x before 3.8.12 and 4.x before...↗2011

▶

💬Community

Bugzilla

CVE-2011-5092 rt3: remote arbitrary code execution and privilege elevation flaw↗2012-06-04

▶

Bugzilla

rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions↗2012-05-22

▶