CVE-2015-1464 - Vulnerability Details - OpenCVE

RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bestpractical	Request Tracker
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:o:fedoraproject:fedora:21:::::::*
	cpe:2.3:o:fedoraproject:fedora:22:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:bestpractical:request_tracker::::::::
	cpe:2.3:a:bestpractical:request_tracker:4.2.0:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.1:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.2:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.3:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.4:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.5:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.6:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.7:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.8:::::::*
	cpe:2.3:a:bestpractical:request_tracker:4.2.9:::::::*

No data.

References

Link	Providers
http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html
http://www.debian.org/security/2015/dsa-3176

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-03-09T14:00:00

Updated: 2024-08-06T04:47:16.215Z

Reserved: 2015-02-03T00:00:00

Link: CVE-2015-1464

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-03-09T14:59:06.450

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-1464

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-02-26T00:00:00", "descriptions": [{"lang": "en", "value": "RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-04-08T17:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"}, {"name": "DSA-3176", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3176"}, {"name": "FEDORA-2015-4698", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"}, {"name": "FEDORA-2015-4666", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-1464", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html", "refsource": "CONFIRM", "url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"}, {"name": "DSA-3176", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3176"}, {"name": "FEDORA-2015-4698", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"}, {"name": "FEDORA-2015-4666", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T04:47:16.215Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"}, {"name": "DSA-3176", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3176"}, {"name": "FEDORA-2015-4698", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"}, {"name": "FEDORA-2015-4666", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-1464", "datePublished": "2015-03-09T14:00:00", "dateReserved": "2015-02-03T00:00:00", "dateUpdated": "2024-08-06T04:47:16.215Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*", "matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*", "matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:*", "matchCriteriaId": "7FDDD86F-98D0-49D7-8467-AAF9842F771D", "versionEndIncluding": "4.0.22", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "016A9A48-9F12-4842-862F-4A192DA0D924", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "0D148F2A-F6B1-432A-9743-35BC43E86B40", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "2445145B-A162-484D-ABDF-053C20FD7E96", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "15EE6E16-375A-42B0-AE3C-E1FB95E9F466", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "83BF8033-9E4D-4B8B-B9E4-E992FE848F4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "6C68D322-E453-48D5-A5FB-39C744D90858", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "3881CA9B-5358-4808-9041-DE3E2FC8927F", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "A95CE3FD-5311-4644-8417-A74FF6B88458", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "E1DD1F04-3D0E-4210-8039-073B28ECCD85", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:request_tracker:4.2.9:*:*:*:*:*:*:*", "matchCriteriaId": "26235782-E3A1-4D71-9E82-87DAC822D79D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL."}, {"lang": "es", "value": "RT (tambi\u00e9n conocido como Request Tracker) anterior a 4.0.23 y 4.2.x anterior a 4.2.10 permite a atacantes remotos secuestrar sesiones a trav\u00e9s de una URL de alimentaci\u00f3n RSS."}], "id": "CVE-2015-1464", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-03-09T14:59:06.450", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"}, {"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"}, {"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2015/dsa-3176"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2015/dsa-3176"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}