Arch Linux Security Advisory ASA-201411-8 ========================================= Severity: Critical Date : 2014-11-12 CVE-ID : CVE-2014-7146 CVE-2014-8598 Package : mantisbt Type : arbitrary code execution, unrestricted access Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package mantisbt before version 1.2.17-4 is vulnerable to arbitrary code execution and unrestricted access. Resolution ========== Upgrade to 1.2.17-4. # pacman -Syu "mantisbt>=1.2.17-4" The problems have been fixed upstream [0][1] but no release version is available yet. Workaround ========== Uninstall the XML Import/Export plugin in mantisbt to avoid both vulnerabilities. Description =========== - CVE-2014-7146 (arbitrary code execution) When importing data with the plugin, user input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed. - CVE-2014-8598 (unrestricted access, information disclosure) The bundled XML Import/Export plugin does not perform any access level checks in the import and export pages. This allows any user knowing the URL to the plugin's page to insert or export any (confidential) data without restriction, regardless of their access level. This vulnerability is particularly dangerous when used in combination with the one described above (CVE-2014-7146) as it makes the access complexity very simple, allowing unauthenticated attackers to execute arbitrary code. Impact ====== A remote unauthenticated attacker knowing the URL to the plugin's page is able to export confidential information, insert data without any restriction or execute arbitrary code. References ========== [0] https://github.com/mantisbt/mantisbt/commit/bed19db9 [1] https://github.com/mantisbt/mantisbt/commit/80a15487 https://access.redhat.com/security/cve/CVE-2014-7146 https://access.redhat.com/security/cve/CVE-2014-8598 http://www.openwall.com/lists/oss-security/2014/11/07/27 http://www.openwall.com/lists/oss-security/2014/11/07/28 https://bugs.archlinux.org/task/42761