CVE-2014-6276

NameCVE-2014-6276
Descriptionschema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3502-1
NVD severitymedium (attack range: remote)
Debian Bugs816780

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
roundup (PTS)wheezy, wheezy (security)1.4.20-1.1+deb7u1fixed
jessie (security), jessie1.4.20-1.1+deb8u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
roundupsource(unstable)(unfixed)medium816780
roundupsourcejessie1.4.20-1.1+deb8u1mediumDSA-3502-1
roundupsourcewheezy1.4.20-1.1+deb7u1mediumDSA-3502-1

Notes

http://hg.code.sf.net/p/roundup/code/rev/a403c29ffaf9

Search for package or bug name: Reporting problems