CVE-2017-5944
Published: 3 July 2017
The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute arbitrary code via a crafted saved search name.
Priority
Status
Package | Release | Status |
---|---|---|
request-tracker4 Launchpad, Ubuntu, Debian |
impish |
Not vulnerable
(4.4.1-4)
|
hirsute |
Not vulnerable
(4.4.1-4)
|
|
xenial |
Needed
|
|
artful |
Not vulnerable
(4.4.1-4)
|
|
bionic |
Not vulnerable
(4.4.1-4)
|
|
cosmic |
Not vulnerable
(4.4.1-4)
|
|
disco |
Not vulnerable
(4.4.1-4)
|
|
eoan |
Not vulnerable
(4.4.1-4)
|
|
focal |
Not vulnerable
(4.4.1-4)
|
|
groovy |
Not vulnerable
(4.4.1-4)
|
|
jammy |
Not vulnerable
(4.4.1-4)
|
|
kinetic |
Not vulnerable
(4.4.1-4)
|
|
lunar |
Not vulnerable
(4.4.1-4)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Released
(4.4.1-4)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Released
(4.4.1-3+deb9u2build0.17.04.1)
|
|
mantic |
Not vulnerable
(4.4.1-4)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |