CVE-2012-6581Request-tracker4 vulnerability

CWE-2644 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.4%
top 39.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian Request-tracker4Bestpractical Request Tracker
Timeline
PublishedJul 24
Latest updateMay 17

Description

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to bypass intended restrictions on reading keys in the product's keyring, and trigger outbound e-mail messages signed by an arbitrary stored secret key, by leveraging a UI e-mail signing privilege.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

NVDbestpractical/request_tracker17 versions+16
debiandebian/request-tracker4< request-tracker4 4.0.7-2 (bookworm)

Patches

Patch: lists.bestpractical.comPatch: lists.bestpractical.com

🔴Vulnerability Details

2
GHSA
GHSA-g3f8-5r75-qjfx: Best Practical Solutions RT 32022-05-17
OSV
CVE-2012-6581: Best Practical Solutions RT 32013-07-24

📋Vendor Advisories

1
Debian
CVE-2012-6581: request-tracker4 - Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when Gnu...2012
CVE-2012-6581 — Debian Request-tracker4 vulnerability | cvebase