CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
86.4%
Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. The Common Vulnerabilities and Exposures project identifies the following problems :
CVE-2013-3368 The rt command line tool uses semi-predictable temporary files. A malicious user can use this flaw to overwrite files with permissions of the user running the rt command line tool.
CVE-2013-3369 A malicious user who is allowed to see administration pages can run arbitrary Mason components (without control of arguments), which may have negative side-effects.
CVE-2013-3370 Request Tracker allows direct requests to private callback components, which could be used to exploit a Request Tracker extension or a local callback which uses the arguments passed to it insecurely.
CVE-2013-3371 Request Tracker is vulnerable to cross-site scripting attacks via attachment filenames.
CVE-2013-3372 Dominic Hargreaves discovered that Request Tracker is vulnerable to an HTTP header injection limited to the value of the Content-Disposition header.
CVE-2013-3373 Request Tracker is vulnerable to a MIME header injection in outgoing email generated by Request Tracker.
Request Tracker stock templates are resolved by this update. But any custom email templates should be updated to ensure that values interpolated into mail headers do not contain newlines.
This version of Request Tracker includes a database content upgrade.
If you are using a dbconfig-managed database, you will be offered the choice of applying this automatically. Otherwise see the explanation in /usr/share/doc/request-tracker3.8/NEWS.Debian.gz for the manual steps to perform.
Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The ‘restart’ mechanism is not recommended, especially when using mod_perl or any form of persistent Perl process such as FastCGI or SpeedyCGI.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DSA-2670. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(66546);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");
script_cve_id("CVE-2013-3368", "CVE-2013-3369", "CVE-2013-3370", "CVE-2013-3371", "CVE-2013-3372", "CVE-2013-3373", "CVE-2013-3374");
script_bugtraq_id(47995, 53192);
script_xref(name:"DSA", value:"2670");
script_name(english:"Debian DSA-2670-1 : request-tracker3.8 - several vulnerabilities");
script_summary(english:"Checks dpkg output for the updated package");
script_set_attribute(
attribute:"synopsis",
value:"The remote Debian host is missing a security-related update."
);
script_set_attribute(
attribute:"description",
value:
"Multiple vulnerabilities have been discovered in Request Tracker, an
extensible trouble-ticket tracking system. The Common Vulnerabilities
and Exposures project identifies the following problems :
- CVE-2013-3368
The rt command line tool uses semi-predictable temporary
files. A malicious user can use this flaw to overwrite
files with permissions of the user running the rt
command line tool.
- CVE-2013-3369
A malicious user who is allowed to see administration
pages can run arbitrary Mason components (without
control of arguments), which may have negative
side-effects.
- CVE-2013-3370
Request Tracker allows direct requests to private
callback components, which could be used to exploit a
Request Tracker extension or a local callback which uses
the arguments passed to it insecurely.
- CVE-2013-3371
Request Tracker is vulnerable to cross-site scripting
attacks via attachment filenames.
- CVE-2013-3372
Dominic Hargreaves discovered that Request Tracker is
vulnerable to an HTTP header injection limited to the
value of the Content-Disposition header.
- CVE-2013-3373
Request Tracker is vulnerable to a MIME header injection
in outgoing email generated by Request Tracker.
Request Tracker stock templates are resolved by this update. But any
custom email templates should be updated to ensure that values
interpolated into mail headers do not contain newlines.
- CVE-2013-3374
Request Tracker is vulnerable to limited session re-use
when using the file-based session store,
Apache::Session::File. However Request Tracker's default
session configuration only uses Apache::Session::File
when configured for Oracle databases.
This version of Request Tracker includes a database content upgrade.
If you are using a dbconfig-managed database, you will be offered the
choice of applying this automatically. Otherwise see the explanation
in /usr/share/doc/request-tracker3.8/NEWS.Debian.gz for the manual
steps to perform.
Please note that if you run request-tracker3.8 under the Apache web
server, you must stop and start Apache manually. The 'restart'
mechanism is not recommended, especially when using mod_perl or any
form of persistent Perl process such as FastCGI or SpeedyCGI."
);
script_set_attribute(
attribute:"see_also",
value:"https://security-tracker.debian.org/tracker/CVE-2013-3368"
);
script_set_attribute(
attribute:"see_also",
value:"https://security-tracker.debian.org/tracker/CVE-2013-3369"
);
script_set_attribute(
attribute:"see_also",
value:"https://security-tracker.debian.org/tracker/CVE-2013-3370"
);
script_set_attribute(
attribute:"see_also",
value:"https://security-tracker.debian.org/tracker/CVE-2013-3371"
);
script_set_attribute(
attribute:"see_also",
value:"https://security-tracker.debian.org/tracker/CVE-2013-3372"
);
script_set_attribute(
attribute:"see_also",
value:"https://security-tracker.debian.org/tracker/CVE-2013-3373"
);
script_set_attribute(
attribute:"see_also",
value:"https://security-tracker.debian.org/tracker/CVE-2013-3374"
);
script_set_attribute(
attribute:"see_also",
value:"https://packages.debian.org/source/squeeze/request-tracker3.8"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.debian.org/security/2013/dsa-2670"
);
script_set_attribute(
attribute:"solution",
value:
"Upgrade the request-tracker3.8 packages.
For the oldstable distribution (squeeze), these problems have been
fixed in version 3.8.8-7+squeeze7.
The stable, testing and unstable distributions do not contain anymore
request-tracker3.8, which is replaced by request-tracker4."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:request-tracker3.8");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
script_set_attribute(attribute:"patch_publication_date", value:"2013/05/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/05/23");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Debian Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"6.0", prefix:"request-tracker3.8", reference:"3.8.8-7+squeeze7")) flag++;
if (deb_check(release:"6.0", prefix:"rt3.8-apache2", reference:"3.8.8-7+squeeze7")) flag++;
if (deb_check(release:"6.0", prefix:"rt3.8-clients", reference:"3.8.8-7+squeeze7")) flag++;
if (deb_check(release:"6.0", prefix:"rt3.8-db-mysql", reference:"3.8.8-7+squeeze7")) flag++;
if (deb_check(release:"6.0", prefix:"rt3.8-db-postgresql", reference:"3.8.8-7+squeeze7")) flag++;
if (deb_check(release:"6.0", prefix:"rt3.8-db-sqlite", reference:"3.8.8-7+squeeze7")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3368
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3369
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3370
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3371
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3372
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3373
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3374
packages.debian.org/source/squeeze/request-tracker3.8
security-tracker.debian.org/tracker/CVE-2013-3368
security-tracker.debian.org/tracker/CVE-2013-3369
security-tracker.debian.org/tracker/CVE-2013-3370
security-tracker.debian.org/tracker/CVE-2013-3371
security-tracker.debian.org/tracker/CVE-2013-3372
security-tracker.debian.org/tracker/CVE-2013-3373
security-tracker.debian.org/tracker/CVE-2013-3374
www.debian.org/security/2013/dsa-2670