CVE-2015-1464
published 2015-03-09CVE-2015-1464: RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.
PriorityP335medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EPSS
1.99%
78.2th percentile
RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bestpractical | request_tracker | <= 4.0.22 | — |
| bestpractical | request_tracker | — | — |
| bestpractical | request_tracker | — | — |
| bestpractical | request_tracker | — | — |
| bestpractical | request_tracker | — | — |
| bestpractical | request_tracker | — | — |
| bestpractical | request_tracker | — | — |
| bestpractical | request_tracker | — | — |
| bestpractical | request_tracker | — | — |
| bestpractical | request_tracker | — | — |
| bestpractical | request_tracker | — | — |
| debian | request-tracker4 | < request-tracker4 4.2.8-3 (bookworm) | request-tracker4 4.2.8-3 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv6.4MEDIUM
vendor_debian6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g28c-mrpm-x2wh: RT (aka Request Tracker) before 4
ghsa_unreviewed·2022-05-17
CVE-2015-1464 [MEDIUM] CWE-284 GHSA-g28c-mrpm-x2wh: RT (aka Request Tracker) before 4
RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.
OSV
CVE-2015-1464: RT (aka Request Tracker) before 4
osv·2015-03-09·CVSS 6.4
CVE-2015-1464 [MEDIUM] CVE-2015-1464: RT (aka Request Tracker) before 4
RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.
Debian
CVE-2015-1464: request-tracker4 - RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote att...
vendor_debian·2015·CVSS 6.4
CVE-2015-1464 [MEDIUM] CVE-2015-1464: request-tracker4 - RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote att...
RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.
Scope: local
bookworm: resolved (fixed in 4.2.8-3)
bullseye: resolved (fixed in 4.2.8-3)
sid: resolved (fixed in 4.2.8-3)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet
bugzilla·2015-12-18·CVSS 8.1
CVE-2015-5348 [HIGH] CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet
CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet
A flaw was found in Apache Camel:
Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability
If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatic de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.
External References:
https://camel.apache.org/security-advisories.data/CVE-2015-5348.txt
Discussion:
Tracker for Fuse 6.2.1: https://issues.jboss.org/browse/ENTESB-4744
---
Tracker for A-MQ 6.2.1: https://issues.jboss.org/browse/ENTMQ-1464
---
CVE-2015-5348 is currently scheduled to be fixed in the Fuse 6.3 release. It is ranked as having moderate impact, so we feel it's not worthy of including in a
Bugzilla
CVE-2015-1464 rt: session hijaking flaw in RSS feed handler
bugzilla·2015-03-09·CVSS 6.4
CVE-2015-1464 [MEDIUM] CVE-2015-1464 rt: session hijaking flaw in RSS feed handler
CVE-2015-1464 rt: session hijaking flaw in RSS feed handler
A session hijaking flaw was found in Request Tracker's (RT) processed RSS feed handler. A remote attacker could use an RSS feed URL to hijack a session of a different user.
This flaw is fixed in 4.2.10:
https://bestpractical.com/release-notes/rt/4.2.10
Discussion:
Created rt tracking bugs for this issue:
Affects: fedora-21 [bug 1200070]
---
So, I'm playing with a rebase to 4.2.10 and pretty much none of the patches apply. I think several of them are upstream so I'll start tracking them down.
But, Ralf, do let me know if you'd rather take care of this yourself. Otherwise I'll start committing stuff to rawhide.
---
(In reply to Jason Tibbitts from comment #2)
> So, I'm playing with a rebase to 4.2.10 and pretty much none
Bugzilla
CVE-2015-1464 rt: session hijaking flaw in RSS feed handler [fedora-21]
bugzilla·2015-03-09·CVSS 6.4
CVE-2015-1464 [MEDIUM] CVE-2015-1464 rt: session hijaking flaw in RSS feed handler [fedora-21]
CVE-2015-1464 rt: session hijaking flaw in RSS feed handler [fedora-21]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
fedora-21 tracking bug for rt: see blocks bug list for full de
http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.htmlhttp://www.debian.org/security/2015/dsa-3176http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.htmlhttp://www.debian.org/security/2015/dsa-3176
2015-03-09
Published