[VIM] vendor dispute - CVE-2013-3525 / Request Tracker SQL injection
Christey, Steven M.
coley at mitre.org
Wed May 15 08:53:23 CDT 2013
Researcher: cheki
The Request Tracker vendor has disputed CVE-2013-3525. The following vendor comment will be in NVD shortly:
Request Tracker is not vulnerable to the "exploit" detailed in
CVE-2013-3525. We were unable to replicate it, and the
individual that reported it retracted their report [1] on April
19th. Thus, this CVE should be considered an erroneous
vulnerability report. For additional information, see our blog
post on the topic[2].
[1] http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.html
[2] http://blog.bestpractical.com/2013/04/on-our-security-policies.html
Note that the PacketStorm reference has been removed.
- Steve
======================================================
Name: CVE-2013-3525
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3525
Reference: MISC:http://blog.bestpractical.com/2013/04/on-our-security-policies.html
Reference: MISC:http://cxsecurity.com/issue/WLB-2013040083
Reference: MISC:http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.html
Reference: BID:59022
Reference: URL:http://www.securityfocus.com/bid/59022
Reference: OSVDB:92265
Reference: URL:http://osvdb.org/92265
Reference: XF:requesttracker-showpending-sql-injection(83375)
Reference: URL:http://xforce.iss.net/xforce/xfdb/83375
** DISPUTED **
SQL injection vulnerability in Approvals/ in Request Tracker (RT)
4.0.10 and earlier allows remote attackers to execute arbitrary SQL
commands via the ShowPending parameter. NOTE: the vendor disputes
this issue, stating "We were unable to replicate it, and the
individual that reported it retracted their report," and "we had
verified that the claimed exploit did not function according to the
author's claims."
More information about the VIM
mailing list