Debian DSA-420-1 : jitterbug - improperly sanitised input

high Nessus Plugin ID 15257

Synopsis

The remote Debian host is missing a security-related update.

Description

Steve Kemp discovered a security related problem in jitterbug, a simple CGI based bug tracking and reporting tool. Unfortunately the program executions do not properly sanitize input, which allows an attacker to execute arbitrary commands on the server hosting the bug database. As mitigating factors these attacks are only available to non-guest users, and accounts for these people must be setup by the administrator making them 'trusted'.

Solution

Upgrade the jitterbug package.

For the stable distribution (woody) this problem has been fixed in version 1.6.2-4.2woody2.

See Also

http://www.debian.org/security/2004/dsa-420

Plugin Details

Severity: High

ID: 15257

File Name: debian_DSA-420.nasl

Version: 1.22

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:jitterbug, cpe:/o:debian:debian_linux:3.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 1/12/2004

Vulnerability Publication Date: 1/13/2004

Reference Information

CVE: CVE-2004-0028

BID: 9397

DSA: 420