CVE-2021-38562 — Observable Discrepancy in Request Tracker

CWE-203 — Observable Discrepancy8 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 72.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bestpractical Request Tracker Debian Request-tracker4 Debian Request-tracker5 +2 more

Timeline

PublishedOct 18

Latest updateAug 13

Description

Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDbestpractical/request_tracker4.2.0 — 4.2.17+2

▶debiandebian/request-tracker4< request-tracker4 4.4.4+dfsg-3 (bookworm)

▶debiandebian/request-tracker5< request-tracker4 4.4.4+dfsg-3 (bookworm)

Also affects: Debian Linux 9.0, Fedora 35

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

request-tracker5 vulnerabilities↗2025-08-13

▶

OSV

request-tracker4 vulnerabilities↗2023-12-04

▶

GHSA

GHSA-f58f-h8w5-jgjr: Best Practical Request Tracker (RT) 4↗2022-05-24

▶

OSV

CVE-2021-38562: Best Practical Request Tracker (RT) 4↗2021-10-18

▶

📋Vendor Advisories

Ubuntu

Request Tracker vulnerabilities↗2025-08-13

▶

Ubuntu

Request Tracker vulnerabilities↗2023-12-04

▶

Debian

CVE-2021-38562: request-tracker4 - Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0...↗2021

▶