Information exposure vulnerability in Request Tracker (RT)
- Request Tracker, 4.4.1 version.
INCIBE has coordinated the publication of a medium severity vulnerability affecting RT version 4.4.1, a tool developed by Best Practical Solutions for cyber incident management, which has been discovered by Javier Garcia Antón.
This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:
- CVE-2024-3262: 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | CWE-200
Vulnerability fixed by applying the following patches:
- https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a.patch
- https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe.patch
In future versions of RT, this solution will be included as a configurable option of the tool.
CVE-2024-3262: information exposure vulnerability in RT software affecting version 4.4.1. This vulnerability allows an attacker with local access to the device to retrieve sensitive information about the application, such as vulnerability tickets, because the application stores the information in the browser cache, leading to information exposure despite session termination.
