| Name | CVE-2024-3262 |
| Description | Information exposure vulnerability in RT software affecting version 4.4.1. This vulnerability allows an attacker with local access to the device to retrieve sensitive information about the application, such as vulnerability tickets, because the application stores the information in the browser cache, leading to information exposure despite session termination. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1068452, 1068453 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| request-tracker4 (PTS) | buster | 4.4.3-2+deb10u2 | vulnerable |
| buster (security) | 4.4.3-2+deb10u3 | vulnerable |
| bullseye (security), bullseye | 4.4.4+dfsg-2+deb11u3 | vulnerable |
| bookworm, bookworm (security) | 4.4.6+dfsg-1.1+deb12u1 | vulnerable |
| trixie, sid | 4.4.7+dfsg-1 | vulnerable |
| request-tracker5 (PTS) | bookworm, bookworm (security) | 5.0.3+dfsg-3~deb12u2 | vulnerable |
| trixie, sid | 5.0.5+dfsg-2 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
[bookworm] - request-tracker4 <no-dsa> (Minor issue)
[bullseye] - request-tracker4 <no-dsa> (Minor issue)
[buster] - request-tracker4 <no-dsa> (Minor issue)
[bookworm] - request-tracker5 <no-dsa> (Minor issue)
https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a
https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe