[VIM] vendor dispute - CVE-2013-3525 / Request Tracker SQL injection

Christey, Steven M. coley at mitre.org
Wed May 15 08:53:23 CDT 2013

Researcher: cheki

The Request Tracker vendor has disputed CVE-2013-3525.  The following vendor comment will be in NVD shortly:

        Request Tracker is not vulnerable to the "exploit" detailed in
        CVE-2013-3525.  We were unable to replicate it, and the
        individual that reported it retracted their report [1] on April
        19th.  Thus, this CVE should be considered an erroneous
        vulnerability report.  For additional information, see our blog
        post on the topic[2].

      [1] http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.html
      [2] http://blog.bestpractical.com/2013/04/on-our-security-policies.html

Note that the PacketStorm reference has been removed.

- Steve

Name: CVE-2013-3525
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3525
Reference: MISC:http://blog.bestpractical.com/2013/04/on-our-security-policies.html
Reference: MISC:http://cxsecurity.com/issue/WLB-2013040083
Reference: MISC:http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.html
Reference: BID:59022
Reference: URL:http://www.securityfocus.com/bid/59022
Reference: OSVDB:92265
Reference: URL:http://osvdb.org/92265
Reference: XF:requesttracker-showpending-sql-injection(83375)
Reference: URL:http://xforce.iss.net/xforce/xfdb/83375


SQL injection vulnerability in Approvals/ in Request Tracker (RT)
4.0.10 and earlier allows remote attackers to execute arbitrary SQL
commands via the ShowPending parameter.  NOTE: the vendor disputes
this issue, stating "We were unable to replicate it, and the
individual that reported it retracted their report," and "we had
verified that the claimed exploit did not function according to the
author's claims."

More information about the VIM mailing list