製品・ソフトウェアに関する情報

JVN脆弱性詳細

Quassel IRC の Quassel core における他のユーザのバックログを読まれる脆弱性

Title	Quassel IRC の Quassel core における他のユーザのバックログを読まれる脆弱性
Summary	Quassel IRC の Quassel core (サーバデーモン) は、ユーザバックログへのアクセス時にユーザ ID を適切に検証しないため、他のユーザのバックログを読まれる脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、core/SQL/PostgreSQL/ の (1) 16/select_buffer_by_id.sql、(2) 16/select_buffer_by_id.sql、および (3) 16/select_buffer_by_id.sql の bufferid を介して、他のユーザのバックログを読まれる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 26, 2013, midnight
Registration Date	Dec. 11, 2013, 7:53 p.m.
Last Update	Dec. 11, 2013, 7:53 p.m.

Affected System

Quassel IRC

Quassel IRC 0.9.2 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-6404	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6404
National Vulnerability Database (NVD)
2	CVE-2013-6404	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6404

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
GitHub
1	Make sure that clients can't access buffers belonging to other users	https://github.com/quassel/quassel/commit/a1a24da
Quassel IRC
2	Yet Another Important Update: Quassel 0.9.2	http://quassel-irc.org/node/123

Change Log

No	Changed Details	Date of change
0	[2013年12月11日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-6404

Summary	Quassel core (server daemon) in Quassel IRC before 0.9.2 does not properly verify the user ID when accessing user backlogs, which allows remote authenticated users to read other users' backlogs via the bufferid in (1) 16/select_buffer_by_id.sql, (2) 16/select_buffer_by_id.sql, and (3) 16/select_buffer_by_id.sql in core/SQL/PostgreSQL/.
Publication Date	Dec. 10, 2013, 1:36 a.m.
Registration Date	Jan. 26, 2021, 3:47 p.m.
Last Update	Nov. 21, 2024, 10:59 a.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-updates/2013-12/msg00092.html
2	http://lists.opensuse.org/opensuse-updates/2013-12/msg00092.html
3	http://lists.opensuse.org/opensuse-updates/2014-01/msg00078.html
4	http://lists.opensuse.org/opensuse-updates/2014-01/msg00078.html
5	http://osvdb.org/100432
6	http://osvdb.org/100432
7	http://quassel-irc.org/node/123	Patch Vendor Advisory
8	http://quassel-irc.org/node/123	Patch Vendor Advisory
9	http://secunia.com/advisories/55640	Vendor Advisory
10	http://secunia.com/advisories/55640	Vendor Advisory
11	http://www.openwall.com/lists/oss-security/2013/11/28/8
12	http://www.openwall.com/lists/oss-security/2013/11/28/8
13	https://exchange.xforce.ibmcloud.com/vulnerabilities/89377
14	https://exchange.xforce.ibmcloud.com/vulnerabilities/89377
15	https://github.com/quassel/quassel/commit/a1a24da	Exploit Patch
16	https://github.com/quassel/quassel/commit/a1a24da	Exploit Patch

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html