CVE-2011-5093 — Code Injection in Request-tracker4

CWE-94 — Code Injection9 documents5 sources

Severity

7.5HIGHNVD

NVD6.8NVD6.5OSV6.8

EPSS

0.6%

top 29.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Request-tracker4 Bestpractical RT

Timeline

PublishedJun 4

Latest updateMay 17

Description

Best Practical Solutions RT 4.x before 4.0.6 does not properly implement the DisallowExecuteCode option, which allows remote authenticated users to bypass intended access restrictions and execute arbitrary code by leveraging access to a privileged account, a different vulnerability than CVE-2011-4458 and CVE-2011-5092.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages2 packages

▶NVDbestpractical/rt83 versions+82

▶debiandebian/request-tracker4< request-tracker4 4.0.5-3 (bookworm)

Patches

Patch: lists.bestpractical.com ↗Patch: lists.bestpractical.com ↗Patch: lists.bestpractical.com ↗

🔴Vulnerability Details

GHSA

GHSA-jv9v-724f-v2g6: Best Practical Solutions RT 3↗2022-05-17

▶

GHSA

GHSA-397q-whxp-h2p3: Best Practical Solutions RT 3↗2022-05-17

▶

GHSA

GHSA-3hp8-xj8q-7jfq: Best Practical Solutions RT 4↗2022-05-17

▶

OSV

CVE-2011-4458: Best Practical Solutions RT 3↗2012-06-04

▶

📋Vendor Advisories

Debian

CVE-2011-4458: request-tracker4 - Best Practical Solutions RT 3.6.x, 3.7.x, and 3.8.x before 3.8.12 and 4.x before...↗2011

▶

💬Community

Bugzilla

CVE-2011-5092 rt3: remote arbitrary code execution and privilege elevation flaw↗2012-06-04

▶