CVE-2013-1883: Input Validation
First published: Thu Mar 21 2013(Updated: )
A denial of service flaw was found in the way MantisBT, a free popular web-based issue tracking system, performed processing of certain type of View Issues page search queries. A remote attacker could provide a specially-crafted query (filter combining some criteria and a text search with 'any condition') that, when processed by the MantisBT system, would lead to excessive system resources consumption (denial of service), possibly leading to complete MantisBT server instance unavailability. References: [1] <a href="http://www.openwall.com/lists/oss-security/2013/03/21/3">http://www.openwall.com/lists/oss-security/2013/03/21/3</a> Upstream bug report: [2] <a href="http://www.mantisbt.org/bugs/view.php?id=15573">http://www.mantisbt.org/bugs/view.php?id=15573</a> Relevant upstream patch: [3] <a href="https://github.com/mantisbt/mantisbt/commit/d16988c3ca232a7">https://github.com/mantisbt/mantisbt/commit/d16988c3ca232a7</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CentOS Libreport-plugin-mantisbt | =1.2.12 | |
| CentOS Libreport-plugin-mantisbt | =1.2.13 | |
| CentOS Libreport-plugin-mantisbt | =1.2.14 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2013/03/21/3
- http://www.mantisbt.org/bugs/view.php?id=15573
- https://github.com/mantisbt/mantisbt/commit/d16988c3ca232a7
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=924341
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=924342
- https://access.redhat.com/security/cve/CVE-2013-1883
- http://www.openwall.com/lists/oss-security/2013/03/22/2
- https://bugzilla.redhat.com/show_bug.cgi?id=924340
- http://www.securityfocus.com/bid/58626
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83347
Frequently Asked Questions
What is the severity of CVE-2013-1883?
CVE-2013-1883 has been classified as a moderate severity denial of service vulnerability.
How do I fix CVE-2013-1883?
To fix CVE-2013-1883, upgrade MantisBT to version 1.2.15 or later.
What versions of MantisBT are affected by CVE-2013-1883?
CVE-2013-1883 affects MantisBT versions 1.2.12, 1.2.13, and 1.2.14.
Can CVE-2013-1883 be exploited remotely?
Yes, CVE-2013-1883 can be exploited remotely by an attacker sending a specially-crafted query to the View Issues page.
What type of vulnerability is CVE-2013-1883?
CVE-2013-1883 is a denial of service vulnerability that can disrupt the functioning of MantisBT.
- agent/references
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/type
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-1883
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/mantisbt
- canonical/centos libreport-plugin-mantisbt
- version/centos libreport-plugin-mantisbt/1.2.12
- version/centos libreport-plugin-mantisbt/1.2.13
- version/centos libreport-plugin-mantisbt/1.2.14