Detections
Analytics

GLSA-200805-21 : Roundup: Permission bypass

medium Nessus Plugin ID 32450

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200805-21 (Roundup: Permission bypass)

 Philipp Gortan reported that the xml-rpc server in Roundup does not check property permissions (CVE-2008-1475). Furthermore, Roland Meister discovered multiple vulnerabilities caused by unspecified errors, some of which may be related to cross-site scripting (CVE-2008-1474).
 Impact :

 A remote attacker could possibly exploit the first vulnerability to edit or view restricted properties via the list(), display(), and set() methods. The impact and attack vectors of the second vulnerability are unknown.
 Workaround :

 There is no known workaround at this time.

Solution

All Roundup users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/roundup-1.4.4-r1'

See Also

https://security.gentoo.org/glsa/200805-21

Plugin Details

Severity: Medium

ID: 32450

File Name: gentoo_GLSA-200805-21.nasl

Version: 1.15

Type: local

Published: 5/28/2008

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:roundup, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 5/27/2008

Reference Information

CVE: CVE-2008-1474, CVE-2008-1475

CWE: 200, 264

GLSA: 200805-21