CVE-2013-3525
Published: 10 May 2013
** DISPUTED ** SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims."
Priority
Status
Package | Release | Status |
---|---|---|
request-tracker3.8 Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Ignored
(end of life)
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
|
saucy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
request-tracker4 Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Not vulnerable
(4.0.13-1)
|
|
trusty |
Does not exist
(trusty was not-affected [4.0.19-1])
|
|
upstream |
Released
(4.0.12-1)
|
|
utopic |
Not vulnerable
(4.0.19-1)
|
|
vivid |
Not vulnerable
(4.0.19-1)
|
|
wily |
Not vulnerable
(4.0.19-1)
|
|
xenial |
Not vulnerable
(4.0.19-1)
|
|
yakkety |
Not vulnerable
(4.0.19-1)
|
|
zesty |
Not vulnerable
(4.0.19-1)
|
References
- http://blog.bestpractical.com/2013/04/on-our-security-policies.html
- http://xforce.iss.net/xforce/xfdb/83375
- http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.html
- http://osvdb.org/92265
- http://cxsecurity.com/issue/WLB-2013040083
- https://www.cve.org/CVERecord?id=CVE-2013-3525
- NVD
- Launchpad
- Debian