CVE-2011-1008 - Vulnerability Details

Scrips_Overlay.pm in Best Practical Solutions RT before 3.8.9 does not properly restrict access to a TicketObj in a Scrip after a CurrentUser change, which allows remote authenticated users to obtain sensitive information via unspecified vectors, as demonstrated by custom-field value information, related to SQL logging.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bestpractical	Rt

Configuration 1 [-]

OR	cpe:2.3:a:bestpractical:rt::rc3::::::*
	cpe:2.3:a:bestpractical:rt:1.0.0:::::::*
	cpe:2.3:a:bestpractical:rt:1.0.1:::::::*
	cpe:2.3:a:bestpractical:rt:1.0.2:::::::*
	cpe:2.3:a:bestpractical:rt:1.0.3:::::::*
	cpe:2.3:a:bestpractical:rt:1.0.4:::::::*
	cpe:2.3:a:bestpractical:rt:1.0.5:::::::*
	cpe:2.3:a:bestpractical:rt:1.0.6:::::::*
	cpe:2.3:a:bestpractical:rt:1.0.7:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.0:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.1:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.2:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.3:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.4:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.5:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.5.1:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.5.3:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.6:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.7:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.8:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.8.2:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.9:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.11:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.12:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.13:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.14:::::::*
	cpe:2.3:a:bestpractical:rt:2.0.15:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.0:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.1:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.2:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.3:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.4:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.5:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.6:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.7:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.7.1:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.8:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.9:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.10:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.11:::::::*
	cpe:2.3:a:bestpractical:rt:3.0.12:::::::*
	cpe:2.3:a:bestpractical:rt:3.2.0:::::::*
	cpe:2.3:a:bestpractical:rt:3.2.1:::::::*
	cpe:2.3:a:bestpractical:rt:3.2.2:::::::*
	cpe:2.3:a:bestpractical:rt:3.2.3:::::::*
	cpe:2.3:a:bestpractical:rt:3.4.0:::::::*
	cpe:2.3:a:bestpractical:rt:3.4.1:::::::*
	cpe:2.3:a:bestpractical:rt:3.4.2:::::::*
	cpe:2.3:a:bestpractical:rt:3.4.3:::::::*
	cpe:2.3:a:bestpractical:rt:3.4.4:::::::*
	cpe:2.3:a:bestpractical:rt:3.4.5:::::::*
	cpe:2.3:a:bestpractical:rt:3.4.6:::::::*
	cpe:2.3:a:bestpractical:rt:3.6.0:::::::*
	cpe:2.3:a:bestpractical:rt:3.6.1:::::::*
	cpe:2.3:a:bestpractical:rt:3.6.2:::::::*
	cpe:2.3:a:bestpractical:rt:3.6.3:::::::*
	cpe:2.3:a:bestpractical:rt:3.6.4:::::::*
	cpe:2.3:a:bestpractical:rt:3.6.5:::::::*
	cpe:2.3:a:bestpractical:rt:3.6.6:::::::*
	cpe:2.3:a:bestpractical:rt:3.6.7:::::::*
	cpe:2.3:a:bestpractical:rt:3.6.8:::::::*
	cpe:2.3:a:bestpractical:rt:3.6.9:::::::*
	cpe:2.3:a:bestpractical:rt:3.8.0:::::::*
	cpe:2.3:a:bestpractical:rt:3.8.1:::::::*
cpe:2.3:a:bestpractical:rt:3.8.2:::::::*
cpe:2.3:a:bestpractical:rt:3.8.3:::::::*
cpe:2.3:a:bestpractical:rt:3.8.4:::::::*
cpe:2.3:a:bestpractical:rt:3.8.5:::::::*
cpe:2.3:a:bestpractical:rt:3.8.6:::::::*
cpe:2.3:a:bestpractical:rt:3.8.6:rc1::::::
cpe:2.3:a:bestpractical:rt:3.8.7:rc1::::::
cpe:2.3:a:bestpractical:rt:3.8.8:rc2::::::
cpe:2.3:a:bestpractical:rt:3.8.8:rc3::::::
cpe:2.3:a:bestpractical:rt:3.8.8:rc4::::::
cpe:2.3:a:bestpractical:rt:3.8.9:rc1::::::
cpe:2.3:a:bestpractical:rt:3.8.9:rc2::::::

No data.

References

Link	Providers
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614576
http://lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html
http://openwall.com/lists/oss-security/2011/02/22/12
http://openwall.com/lists/oss-security/2011/02/22/16
http://openwall.com/lists/oss-security/2011/02/22/6
http://openwall.com/lists/oss-security/2011/02/23/22
http://openwall.com/lists/oss-security/2011/02/24/7
http://openwall.com/lists/oss-security/2011/02/24/8
http://openwall.com/lists/oss-security/2011/02/24/9
http://osvdb.org/71011
http://secunia.com/advisories/43438
http://www.vupen.com/english/advisories/2011/0475
https://exchange.xforce.ibmcloud.com/vulnerabilities/65772
https://github.com/bestpractical/rt/commit/2338cd19ed7a7f4c1e94f639ab2789d6586d01f3
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2011-02-28T15:00:00

Updated: 2024-08-06T22:14:26.931Z

Reserved: 2011-02-14T00:00:00

Link: CVE-2011-1008

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2011-02-28T16:00:01.680

Modified: 2025-04-11T00:51:21.963

Link: CVE-2011-1008

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2011-02-16T00:00:00", "descriptions": [{"lang": "en", "value": "Scrips_Overlay.pm in Best Practical Solutions RT before 3.8.9 does not properly restrict access to a TicketObj in a Scrip after a CurrentUser change, which allows remote authenticated users to obtain sensitive information via unspecified vectors, as demonstrated by custom-field value information, related to SQL logging."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-02-25T16:06:21", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2011/02/24/9"}, {"name": "rt-scripsoverlay-information-disclosure(65772)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65772"}, {"name": "[oss-security] 20110223 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2011/02/23/22"}, {"name": "[oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2011/02/24/7"}, {"name": "71011", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/71011"}, {"name": "[oss-security] 20110222 Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2011/02/22/12"}, {"name": "[oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2011/02/24/8"}, {"name": "43438", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/43438"}, {"name": "[oss-security] 20110222 Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2011/02/22/16"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bestpractical/rt/commit/2338cd19ed7a7f4c1e94f639ab2789d6586d01f3"}, {"name": "[rt-announce] 20110216 RT 3.8.9 Released", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html"}, {"name": "[oss-security] 20110222 CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2011/02/22/6"}, {"name": "ADV-2011-0475", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2011/0475"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614576"}, {"name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2011-1008", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Scrips_Overlay.pm in Best Practical Solutions RT before 3.8.9 does not properly restrict access to a TicketObj in a Scrip after a CurrentUser change, which allows remote authenticated users to obtain sensitive information via unspecified vectors, as demonstrated by custom-field value information, related to SQL logging."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2011/02/24/9"}, {"name": "rt-scripsoverlay-information-disclosure(65772)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65772"}, {"name": "[oss-security] 20110223 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2011/02/23/22"}, {"name": "[oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2011/02/24/7"}, {"name": "71011", "refsource": "OSVDB", "url": "http://osvdb.org/71011"}, {"name": "[oss-security] 20110222 Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2011/02/22/12"}, {"name": "[oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2011/02/24/8"}, {"name": "43438", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/43438"}, {"name": "[oss-security] 20110222 Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2011/02/22/16"}, {"name": "https://github.com/bestpractical/rt/commit/2338cd19ed7a7f4c1e94f639ab2789d6586d01f3", "refsource": "CONFIRM", "url": "https://github.com/bestpractical/rt/commit/2338cd19ed7a7f4c1e94f639ab2789d6586d01f3"}, {"name": "[rt-announce] 20110216 RT 3.8.9 Released", "refsource": "MLIST", "url": "http://lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html"}, {"name": "[oss-security] 20110222 CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2011/02/22/6"}, {"name": "ADV-2011-0475", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2011/0475"}, {"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614576", "refsource": "CONFIRM", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614576"}, {"name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T22:14:26.931Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2011/02/24/9"}, {"name": "rt-scripsoverlay-information-disclosure(65772)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65772"}, {"name": "[oss-security] 20110223 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2011/02/23/22"}, {"name": "[oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2011/02/24/7"}, {"name": "71011", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/71011"}, {"name": "[oss-security] 20110222 Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2011/02/22/12"}, {"name": "[oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2011/02/24/8"}, {"name": "43438", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/43438"}, {"name": "[oss-security] 20110222 Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2011/02/22/16"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/bestpractical/rt/commit/2338cd19ed7a7f4c1e94f639ab2789d6586d01f3"}, {"name": "[rt-announce] 20110216 RT 3.8.9 Released", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html"}, {"name": "[oss-security] 20110222 CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2011/02/22/6"}, {"name": "ADV-2011-0475", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2011/0475"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614576"}, {"name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2011-1008", "datePublished": "2011-02-28T15:00:00", "dateReserved": "2011-02-14T00:00:00", "dateUpdated": "2024-08-06T22:14:26.931Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bestpractical:rt:*:rc3:*:*:*:*:*:*", "matchCriteriaId": "A1369FE3-D1CC-4A6B-9D5B-796B1BAFE1AF", "versionEndIncluding": "3.8.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "798C7256-C8A7-46EA-BE0C-685620CF78AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "EC812A18-628E-4EFA-95C7-010694423894", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:1.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "05EFCBF0-4447-4457-92B9-587A28C2D8E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:1.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "0E9A6E50-5666-48BF-8FD7-2668D8AD7344", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:1.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "915FBC54-78F1-43AC-8394-AA25BC9F88F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:1.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "6F083E35-4189-45E9-A1A1-9062C88ED144", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:1.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "D6C9869E-5949-4C1E-AED7-3A8FB3C133F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:1.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "FC2090D7-2796-44E9-8330-CE874E9514E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B558A64D-2E06-416C-85F5-AAFFD18096D7", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "A3A24FF7-A1B0-4998-A0F8-6E5D70901299", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "F01659AA-9146-4238-9FEE-70D345D31094", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "0EA74674-D04E-4458-ADF0-C733E9592B05", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "8F4ACD97-35AD-4E23-83FC-E39016936EFA", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "DF589DDB-4348-4A55-9468-DBB5F03C82F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "9C59D941-22C2-41A7-B9BA-4CBDA3E71F5E", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.5.3:*:*:*:*:*:*:*", "matchCriteriaId": "DB507C08-D3CC-4AC8-9BAC-EED9FD09E1D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "A50288EA-2628-47D7-9F25-EE514B9083F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "91868A78-C6C7-4C03-95B3-755816F8C663", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "F4B4383B-20C5-4620-8107-255AD3D45D2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.8.2:*:*:*:*:*:*:*", "matchCriteriaId": "09A128B7-AA70-49DD-A20E-B9BB7D23A4EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "88EFA7E0-C472-4E93-8E38-98DFCCD37EEE", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.11:*:*:*:*:*:*:*", "matchCriteriaId": "6E6381E7-1C01-4239-A02F-C6DB5D775F7D", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.12:*:*:*:*:*:*:*", "matchCriteriaId": "4120F4E4-E4EB-434C-9764-370102198554", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.13:*:*:*:*:*:*:*", "matchCriteriaId": "E1CA0866-CC49-4956-9493-849069B4485B", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.14:*:*:*:*:*:*:*", "matchCriteriaId": "565B7E66-BD96-419A-8EC2-FE971BDC47A0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:2.0.15:*:*:*:*:*:*:*", "matchCriteriaId": "FAC1443B-50C8-4E98-9900-CACFEA5AD00D", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "F451959A-5305-4210-977B-6B396BC0A4F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "BA418CF5-49D6-4E0E-A1B5-8CB23752989D", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "8E238F87-8D8C-4E62-A8F0-3DB9EFDB8328", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "3FD8A7EF-5DB8-40C6-9124-A97A23B3EA02", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "2AD553B8-8495-47E5-A543-4DC963B3511A", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "28ADB191-4787-4FDB-B70A-F4C8BDF0F4B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "2772389A-9BCD-4B13-88C8-75BC64E40AF7", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "B1F9D05F-C86D-40D8-A7D9-5448918B72DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "311485DA-5381-4EAD-AF58-B8C67373413A", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "2EAF6671-8C77-448B-BF29-E2CF51176CC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "B55D762D-A723-435C-8D80-F7230F1648D4", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "4CC63EDC-541E-445D-8B72-799E4184B7EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.11:*:*:*:*:*:*:*", "matchCriteriaId": "D5E6196E-4A90-4F64-BA99-A8E04A09D5ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.0.12:*:*:*:*:*:*:*", "matchCriteriaId": "91D7CE86-3FCD-472E-BF01-31FFB36701BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "70B3F0B2-8C70-4046-AAA0-FBD344FE4DBD", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "FCD0173D-F699-4864-8856-D1792BDA0F84", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "19CC2E53-5DE8-4A31-9B8A-79335DFBAFEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "404AFC5C-20B4-41E5-ACDE-56626D68AFEA", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "F37D1380-965B-40E0-8A20-61FEA072B8D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "E101B0FE-499F-44D8-8B68-BB7FEE40D2B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "747D8CD1-EE12-48A4-A795-88BC66A8DA33", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "5FDE201D-F31A-4738-B9AB-7BB11417990E", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "4D6ED4EC-F860-47BD-B699-551FB5DBF039", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.4.5:*:*:*:*:*:*:*", "matchCriteriaId": "E3398823-1813-4D7B-9EC9-74222A240051", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.4.6:*:*:*:*:*:*:*", "matchCriteriaId": "F98B7895-BDB3-477C-8B34-88BD3E02EAFF", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "1512169D-DCEF-4964-B05A-3DF19CDE8F57", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "B427F5D4-ACD6-46E5-B94F-CA30330C6492", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "E9B38C33-D680-4285-A849-E6CDA9F4802F", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "646CFD82-15FE-48E4-83C9-E3E037E9F928", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "57404A14-6E1C-4F3B-8120-75F1073A3E18", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "3F40ED56-CDAC-40BB-A026-5D6A09DCB72C", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.6.6:*:*:*:*:*:*:*", "matchCriteriaId": "33C325D9-CB88-430F-B1AE-3544C7176398", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.6.7:*:*:*:*:*:*:*", "matchCriteriaId": "F1E86D15-8435-46B9-88FF-8A51771C55E5", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.6.8:*:*:*:*:*:*:*", "matchCriteriaId": "543C8E63-9A49-4D6A-899A-7D244D0CCC17", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.6.9:*:*:*:*:*:*:*", "matchCriteriaId": "00AFB893-E37A-4E81-A984-66D677161D80", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C503726A-4AAB-4444-A204-7F53A6369919", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "F2B93F59-E22F-47E0-A5EA-D5716E9EAB48", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.2:*:*:*:*:*:*:*", "matchCriteriaId": "0BF01543-2929-4ADA-BD74-ABE00BF066BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.3:*:*:*:*:*:*:*", "matchCriteriaId": "562E9782-259B-42C6-BC3E-C452799A78FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.4:*:*:*:*:*:*:*", "matchCriteriaId": "C4D2E2C8-15E8-45E4-9DBF-6CF2BEB30576", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.5:*:*:*:*:*:*:*", "matchCriteriaId": "9E4D117A-92C0-4884-A3E6-F6FCC8B89458", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.6:*:*:*:*:*:*:*", "matchCriteriaId": "AED14B5B-A9DE-46A4-8996-F6DC75B5DCD7", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.6:rc1:*:*:*:*:*:*", "matchCriteriaId": "D237F862-E8D5-4D82-9CDC-A8A84D2DE665", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.7:rc1:*:*:*:*:*:*", "matchCriteriaId": "B306ECCE-8095-48E7-A523-05F6B2AF686E", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.8:rc2:*:*:*:*:*:*", "matchCriteriaId": "B6FBA787-90EE-4148-804C-F4F6021D5177", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.8:rc3:*:*:*:*:*:*", "matchCriteriaId": "9035493E-C9BA-4DDE-914A-E14CB072E745", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.8:rc4:*:*:*:*:*:*", "matchCriteriaId": "19E636D2-525B-4B27-A9E1-16BC0088C8AF", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "F9040C7B-9080-4B57-885D-9275B9623E46", "vulnerable": true}, {"criteria": "cpe:2.3:a:bestpractical:rt:3.8.9:rc2:*:*:*:*:*:*", "matchCriteriaId": "7B927C5E-EAC2-4032-905A-BBCE66693958", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Scrips_Overlay.pm in Best Practical Solutions RT before 3.8.9 does not properly restrict access to a TicketObj in a Scrip after a CurrentUser change, which allows remote authenticated users to obtain sensitive information via unspecified vectors, as demonstrated by custom-field value information, related to SQL logging."}, {"lang": "es", "value": "Scrips_Overlay.pm en Best Practical Solutions RT anterior a v3.8.9 no restringe el acceso adecuadamente a TicketObj en un Scrip despu\u00e9s de un cambio en CurrentUser, lo que permite a usuarios autenticados obtener informaci\u00f3n sensible a trav\u00e9s de vectores no especificados, como se demostr\u00f3 por el valor de informaci\u00f3n custom-field, relacionado con el registro SQL."}], "id": "CVE-2011-1008", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2011-02-28T16:00:01.680", "references": [{"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614576"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://openwall.com/lists/oss-security/2011/02/22/12"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://openwall.com/lists/oss-security/2011/02/22/16"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://openwall.com/lists/oss-security/2011/02/22/6"}, {"source": "secalert@redhat.com", "url": "http://openwall.com/lists/oss-security/2011/02/23/22"}, {"source": "secalert@redhat.com", "url": "http://openwall.com/lists/oss-security/2011/02/24/7"}, {"source": "secalert@redhat.com", "url": "http://openwall.com/lists/oss-security/2011/02/24/8"}, {"source": "secalert@redhat.com", "url": "http://openwall.com/lists/oss-security/2011/02/24/9"}, {"source": "secalert@redhat.com", "url": "http://osvdb.org/71011"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/43438"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2011/0475"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65772"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "https://github.com/bestpractical/rt/commit/2338cd19ed7a7f4c1e94f639ab2789d6586d01f3"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614576"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://openwall.com/lists/oss-security/2011/02/22/12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://openwall.com/lists/oss-security/2011/02/22/16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://openwall.com/lists/oss-security/2011/02/22/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2011/02/23/22"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2011/02/24/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2011/02/24/8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2011/02/24/9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/71011"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/43438"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2011/0475"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65772"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/bestpractical/rt/commit/2338cd19ed7a7f4c1e94f639ab2789d6586d01f3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object