CVE-2012-6578Request-tracker4 vulnerability

CWE-3104 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.3%
top 50.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian Request-tracker4Bestpractical Request Tracker
Timeline
PublishedJul 24
Latest updateMay 17

Description

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled with a "Sign by default" queue configuration, uses a queue's key for signing, which might allow remote attackers to spoof messages by leveraging the lack of authentication semantics.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

NVDbestpractical/request_tracker17 versions+16
debiandebian/request-tracker4< request-tracker4 4.0.7-2 (bookworm)

Patches

Patch: lists.bestpractical.comPatch: lists.bestpractical.com

🔴Vulnerability Details

2
GHSA
GHSA-g7j7-53qx-fqp5: Best Practical Solutions RT 32022-05-17
OSV
CVE-2012-6578: Best Practical Solutions RT 32013-07-24

📋Vendor Advisories

1
Debian
CVE-2012-6578: request-tracker4 - Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when Gnu...2012
CVE-2012-6578 — Debian Request-tracker4 vulnerability | cvebase