CVE-2024-3262

NameCVE-2024-3262
DescriptionInformation exposure vulnerability in RT software affecting version 4.4.1. This vulnerability allows an attacker with local access to the device to retrieve sensitive information about the application, such as vulnerability tickets, because the application stores the information in the browser cache, leading to information exposure despite session termination.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1068452, 1068453

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
request-tracker4 (PTS)jessie, jessie (lts)4.2.8-3+deb8u4vulnerable
stretch (security)4.4.1-3+deb9u4vulnerable
stretch (lts), stretch4.4.1-3+deb9u6vulnerable
buster (security), buster, buster (lts)4.4.3-2+deb10u3vulnerable
bullseye (security), bullseye4.4.4+dfsg-2+deb11u3vulnerable
bookworm (security), bookworm4.4.6+dfsg-1.1+deb12u1vulnerable
sid, trixie4.4.7+dfsg-3fixed
request-tracker5 (PTS)bookworm (security), bookworm5.0.3+dfsg-3~deb12u2vulnerable
sid, trixie5.0.7+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
request-tracker4sourcejessie(unfixed)end-of-life
request-tracker4sourcestretch(unfixed)end-of-life
request-tracker4source(unstable)4.4.7+dfsg-21068452
request-tracker5source(unstable)5.0.7+dfsg-11068453

Notes

[bookworm] - request-tracker4 <no-dsa> (Minor issue)
[bullseye] - request-tracker4 <no-dsa> (Minor issue)
[buster] - request-tracker4 <no-dsa> (Minor issue)
[bookworm] - request-tracker5 <no-dsa> (Minor issue)
https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a
https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe

Search for package or bug name: Reporting problems