Arch Linux Security Advisory ASA-201411-3 ========================================= Severity: Critical Date : 2014-11-05 CVE-ID : CVE-2014-8554 Package : mantisbt Type : sql injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package mantisbt before version 1.2.17-3 is vulnerable to SQL injection. Resolution ========== Upgrade to 1.2.17-3. # pacman -Syu "mantisbt>=1.2.17-3" The problem has been fixed upstream [0] but no release version is available yet. Workaround ========== None. Description =========== Edwin Gozeling and Wim Visser discovered that when the project_id parameter of the SOAP-request starts with the integer of a project to which the user (or anonymous) is authorized, the ENTIRE value will become the first item of $t_projects. As this value is concatenated in the SQL statement, SQL-injection becomes possible. Impact ====== A remote attacker is able to perform SQL injection via specially crafted SOAP-requests. Depending on the configuration this can be escalated to code execution. References ========== [0] https://github.com/mantisbt/mantisbt/commit/99ffb0af https://access.redhat.com/security/cve/CVE-2014-8554 http://seclists.org/oss-sec/2014/q4/478 https://bugs.archlinux.org/task/42683