CVE-2012-4404
published 2012-09-10CVE-2012-4404: security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted,"…
PriorityP427medium6CVSS 2.0
AVNACMAuSCPIPAP
EPSS
2.09%
79.3th percentile
security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| moinmo | moinmoin | — | — |
| moinmo | moinmoin | — | — |
| moinmo | moinmoin | — | — |
| moinmo | moinmoin | — | — |
| moinmo | moinmoin | — | — |
CVSS provenance
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vendor_ubuntu2.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MoinMoin Improper Access Control
osv·2022-05-17
CVE-2012-4404 [MEDIUM] MoinMoin Improper Access Control
MoinMoin Improper Access Control
`security/__init__.py` in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group.
GHSA
MoinMoin Improper Access Control
ghsa·2022-05-17
CVE-2012-4404 [MEDIUM] CWE-284 MoinMoin Improper Access Control
MoinMoin Improper Access Control
`security/__init__.py` in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group.
OSV
CVE-2012-4404: security/__init__
osv·2012-09-10
CVE-2012-4404 CVE-2012-4404: security/__init__
security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group.
Ubuntu
MoinMoin vulnerabilities
vendor_ubuntu·2012-10-11·CVSS 2.6
CVE-2011-1058 [LOW] MoinMoin vulnerabilities
Title: MoinMoin vulnerabilities
Summary: Several security issues were fixed in MoinMoin.
It was discovered that MoinMoin did not properly sanitize certain input,
resulting in a cross-site scripting (XSS) vulnerability. With cross-site
scripting vulnerabilities, if a user were tricked into viewing server
output during a crafted server request, a remote attacker could exploit
this to modify the contents, or steal confidential data, within the same
domain. (CVE-2011-1058)
It was discovered that MoinMoin incorrectly handled group names that
contain virtual group names such as "All", "Known" or "Trusted". This could
result in a remote user having incorrect permissions. (CVE-2012-4404)
Instructions: In general, a standard system update will make all the necessary changes.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-4404 moin: Improper ACL rules enforcement due to a bug in the way virtual groups were handled previously during ACL evaluation [fedora-all]
bugzilla·2012-09-05·CVSS 6.0
CVE-2012-4404 [MEDIUM] CVE-2012-4404 moin: Improper ACL rules enforcement due to a bug in the way virtual groups were handled previously during ACL evaluation [fedora-all]
CVE-2012-4404 moin: Improper ACL rules enforcement due to a bug in the way virtual groups were handled previously during ACL evaluation [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update sub
Bugzilla
CVE-2012-4404 moin: Improper ACL rules enforcement due to a bug in the way virtual groups were handled previously during ACL evaluation
bugzilla·2012-09-05·CVSS 6.0
CVE-2012-4404 [MEDIUM] CVE-2012-4404 moin: Improper ACL rules enforcement due to a bug in the way virtual groups were handled previously during ACL evaluation
CVE-2012-4404 moin: Improper ACL rules enforcement due to a bug in the way virtual groups were handled previously during ACL evaluation
A security flaw was found in the way MoinMoin, a wikiengine to collaborate on easily editable web pages, performed enforcement of access control list (ACL) rules for certain virtual groups. Previously if the group contained special members like "All", "Known" or "Trusted" due to a bug virtual groups handling, the ACL evaluation code was checking if they are present in the NAME group (and not as intended in the MEMBERS group). This problem caused that trusted users were not properly included into groups, they should be and vice versa (untrusted users weren not excluded from group membership as they should have been).
Upstream patch:
[1] http://hg.moinmo.i
Bugzilla
CVE-2012-4404 moin: Improper ACL rules enforcement due to a bug in the way virtual groups were handled previously during ACL evaluation [epel-5]
bugzilla·2012-09-05·CVSS 6.0
CVE-2012-4404 [MEDIUM] CVE-2012-4404 moin: Improper ACL rules enforcement due to a bug in the way virtual groups were handled previously during ACL evaluation [epel-5]
CVE-2012-4404 moin: Improper ACL rules enforcement due to a bug in the way virtual groups were handled previously during ACL evaluation [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submiss
http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16http://moinmo.in/SecurityFixeshttp://secunia.com/advisories/50474http://secunia.com/advisories/50496http://secunia.com/advisories/50885http://www.debian.org/security/2012/dsa-2538http://www.openwall.com/lists/oss-security/2012/09/04/4http://www.openwall.com/lists/oss-security/2012/09/05/2http://www.ubuntu.com/usn/USN-1604-1http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16http://moinmo.in/SecurityFixeshttp://secunia.com/advisories/50474http://secunia.com/advisories/50496http://secunia.com/advisories/50885http://www.debian.org/security/2012/dsa-2538http://www.openwall.com/lists/oss-security/2012/09/04/4http://www.openwall.com/lists/oss-security/2012/09/05/2http://www.ubuntu.com/usn/USN-1604-1
2012-09-10
Published