#VU32754 Permissions, Privileges, and Access Controls in MoinMoin - CVE-2012-4404
Published: September 11, 2012 / Updated: July 28, 2020
Vulnerability identifier: #VU32754
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2012-4404
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
MoinMoin
MoinMoin
Software vendor:
MoinMoin
MoinMoin
Description
The vulnerability allows a remote #AU# to read and manipulate data.
security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group.
Remediation
Install update from vendor's website.
External links
- http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16
- http://moinmo.in/SecurityFixes
- http://secunia.com/advisories/50474
- http://secunia.com/advisories/50496
- http://secunia.com/advisories/50885
- http://www.debian.org/security/2012/dsa-2538
- http://www.openwall.com/lists/oss-security/2012/09/04/4
- http://www.openwall.com/lists/oss-security/2012/09/05/2
- http://www.ubuntu.com/usn/USN-1604-1