Technical Description

Multiple vulnerabilities have been identified in IBM Rational ClearQuest, which could be exploited by attackers to bypass security restrictions or gain knowledge of sensitive information.

The first issue is caused by an error when displaying passwords as asterisks, which could allow local attackers to gain knowledge of sensitive information (i.e. user and database passwords).

The second vulnerability is caused by unspecified input validation errors, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected site.

The third issue is caused by an error when handling database connections, which could potentially cause information disclosure.

The fourth vulnerability is caused due to the database password is stored unencrypted in an object when editing a ClearQuest connection profile in the maintenance tool.

Affected Products

www-apps/mantisbt versions prior to 1.1.4-r1

Solution

Upgrade to IBM Rational ClearQuest version 7.1.

References

http://www.vupen.com/english/advisories/2008/3329
http://www-01.ibm.com/support/docview.wss?uid=swg1PK30938
http://www-01.ibm.com/support/docview.wss?uid=swg1PK38745
http://www-01.ibm.com/support/docview.wss?uid=swg1PK65908
http://www-01.ibm.com/support/docview.wss?uid=swg1PK69316

Credits

Vulnerabilities reported by the vendor.

ChangeLog

2008-12-03 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.