Fluid Attacks Database

Description

The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the database. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0009.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	request-tracker4	>=0 <4.0.5-3	4.0.5-3
debian 12	request-tracker4	>=0 <4.0.5-3	4.0.5-3

Aliases

1. CVE-2011-20822. NVD-2011-20823. OSV-DEBIAN-2011-20824. OSV-2011-20825. SECURITY-TRACKER-CVE-2011-2082

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.