CVE-2017-5361 — Request-tracker4 vulnerability

6 documents5 sources

Severity

5.9MEDIUMNVD

EPSS

0.4%

top 41.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Request-tracker4 Bestpractical Request Tracker

Timeline

PublishedJul 3

Latest updateMay 13

Description

Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶debiandebian/request-tracker4< request-tracker4 4.4.1-4 (bookworm)

▶NVDbestpractical/request_tracker41 versions+40

🔴Vulnerability Details

GHSA

GHSA-qpcq-vgjf-37f6: Request Tracker (RT) 4↗2022-05-13

▶

OSV

CVE-2017-5361: Request Tracker (RT) 4↗2017-07-03

▶

📋Vendor Advisories

Debian

CVE-2017-5361: request-tracker4 - Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4....↗2017

▶

💬Community

Bugzilla

CVE-2017-5361 rt: timing side-channel attack in secrets constant-time comparison algorithm↗2017-07-26

▶

Bugzilla

CVE-2016-6127 CVE-2017-5361 CVE-2017-5943 CVE-2017-5944 rt: various flaws [fedora-all]↗2017-07-26

▶