CVE-2014-8553 in MantisBT
Summary
by MITRE
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/08/2022
The vulnerability identified as CVE-2014-8553 represents a critical information disclosure flaw within MantisBT version 1.2.17 and earlier, specifically affecting the mci_account_get_array_by_id function in the api/soap/mc_account_api.php file. This vulnerability manifests through four distinct SOAP request methods that collectively enable remote attackers to extract sensitive user information from the system. The flaw stems from inadequate access controls and improper input validation within the SOAP API implementation, allowing unauthorized entities to bypass normal authentication mechanisms and retrieve data that should remain restricted to authorized users.
The technical exploitation of this vulnerability occurs through specifically crafted SOAP requests targeting the mc_project_get_users, mc_issue_get, mc_filter_get_issues, and mc_project_get_issues endpoints. These requests leverage the mci_account_get_array_by_id function to traverse the application's access control layers and extract user account details, potentially including usernames, email addresses, and other sensitive personal information. The vulnerability is classified under CWE-200, which specifically addresses "Information Exposure," and aligns with ATT&CK technique T1213.002 for "Data from Information Repositories" within the credential access category. The flaw demonstrates poor input sanitization and insufficient privilege checking, enabling attackers to escalate their access level through legitimate API interfaces.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can facilitate subsequent attacks including credential stuffing, social engineering campaigns, and privilege escalation attempts. Attackers who successfully exploit this vulnerability gain access to comprehensive user account information that can be used to compromise additional system resources or launch targeted attacks against specific individuals. The vulnerability affects organizations using MantisBT for issue tracking and project management, potentially exposing sensitive project data, user credentials, and organizational information. Security professionals should consider this vulnerability as part of a broader attack surface analysis, particularly when evaluating web application security and API access controls.
Organizations should immediately implement mitigations including upgrading to MantisBT version 1.2.18 or later, which contains the necessary patches to address the information disclosure vulnerability. Additional protective measures include implementing strict API access controls, monitoring SOAP request patterns for anomalous behavior, and conducting regular security audits of web service endpoints. Network segmentation and firewall rules should be configured to restrict access to the SOAP API to trusted IP addresses only. The vulnerability also underscores the importance of proper input validation and access control implementation, as recommended by OWASP API Security Top 10 and NIST SP 800-53 security controls. Security teams should also consider implementing automated vulnerability scanning tools that can detect similar information disclosure patterns in other web applications and services.