CVE-2012-4404 - Vulnerability Details - OpenCVE

security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0099.

Key SSVC decision points have not yet been added.

Vendors	Products
Moinmo	Moinmoin

Configuration 1 [-]

OR	cpe:2.3:a:moinmo:moinmoin:1.9.0:::::::*
	cpe:2.3:a:moinmo:moinmoin:1.9.1:::::::*
	cpe:2.3:a:moinmo:moinmoin:1.9.2:::::::*
	cpe:2.3:a:moinmo:moinmoin:1.9.3:::::::*
	cpe:2.3:a:moinmo:moinmoin:1.9.4:::::::*

No data.

No data.

Advisories

Source	ID	Title
Debian DSA	DSA-2538-1	moin security update
EUVD	EUVD-2012-0017	security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as \"All,\" \"Known,\" or \"Trusted,\" which allows remote authenticated users with virtual group membership to be treated as a member of the group.
Github GHSA	GHSA-g4mx-rm5q-vh24	MoinMoin Improper Access Control
Ubuntu USN	USN-1604-1	MoinMoin vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16
http://moinmo.in/SecurityFixes
http://secunia.com/advisories/50474
http://secunia.com/advisories/50496
http://secunia.com/advisories/50885
http://www.debian.org/security/2012/dsa-2538
http://www.openwall.com/lists/oss-security/2012/09/04/4
http://www.openwall.com/lists/oss-security/2012/09/05/2
http://www.ubuntu.com/usn/USN-1604-1

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2012-09-10T22:00:00

Updated: 2024-08-06T20:35:09.512Z

Reserved: 2012-08-21T00:00:00

Link: CVE-2012-4404

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2012-09-10T22:55:05.197

Modified: 2025-04-11T00:51:21.963

Link: CVE-2012-4404

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-09-03T00:00:00", "descriptions": [{"lang": "en", "value": "security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as \"All,\" \"Known,\" or \"Trusted,\" which allows remote authenticated users with virtual group membership to be treated as a member of the group."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2012-10-30T09:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "USN-1604-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1604-1"}, {"name": "50496", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/50496"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://moinmo.in/SecurityFixes"}, {"name": "DSA-2538", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2012/dsa-2538"}, {"name": "[oss-security] 20120904 CVE request: moinmoin incorrect ACL evaluation for virtual groups", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/09/04/4"}, {"name": "50885", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/50885"}, {"name": "50474", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/50474"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16"}, {"name": "[oss-security] 20120904 Re: CVE request: moinmoin incorrect ACL evaluation for virtual groups", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/09/05/2"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T20:35:09.512Z"}, "title": "CVE Program Container", "references": [{"name": "USN-1604-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-1604-1"}, {"name": "50496", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/50496"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://moinmo.in/SecurityFixes"}, {"name": "DSA-2538", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2012/dsa-2538"}, {"name": "[oss-security] 20120904 CVE request: moinmoin incorrect ACL evaluation for virtual groups", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/09/04/4"}, {"name": "50885", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/50885"}, {"name": "50474", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/50474"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16"}, {"name": "[oss-security] 20120904 Re: CVE request: moinmoin incorrect ACL evaluation for virtual groups", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/09/05/2"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-4404", "datePublished": "2012-09-10T22:00:00", "dateReserved": "2012-08-21T00:00:00", "dateUpdated": "2024-08-06T20:35:09.512Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moinmo:moinmoin:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "BAA73028-4193-49E9-B017-F1F27075FDDE", "vulnerable": true}, {"criteria": "cpe:2.3:a:moinmo:moinmoin:1.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "2B6FF2CB-A7F2-4E74-8B95-0C7BA3DE47AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:moinmo:moinmoin:1.9.2:*:*:*:*:*:*:*", "matchCriteriaId": "1B7C3A9E-1655-436F-94FF-390D44926A28", "vulnerable": true}, {"criteria": "cpe:2.3:a:moinmo:moinmoin:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "D8434905-3540-4ADE-8223-251FFABD31D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:moinmo:moinmoin:1.9.4:*:*:*:*:*:*:*", "matchCriteriaId": "AD68516B-3E72-41F4-8BD1-60A98FC1C9E3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as \"All,\" \"Known,\" or \"Trusted,\" which allows remote authenticated users with virtual group membership to be treated as a member of the group."}, {"lang": "es", "value": "security/__init__.py en MoinMoin v1.9 hasta v1.9.4 no trata correctamente los nombres de los grupos que contienen nombres de grupos virtuales tales como \"All\", \"Known\", o \"Trusted\", lo que permite ser tratados como miembros del grupo no-virtual a usuarios remotos autenticados que pertenezcan a un grupo virtual.\r\n"}], "id": "CVE-2012-4404", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-09-10T22:55:05.197", "references": [{"source": "secalert@redhat.com", "url": "http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://moinmo.in/SecurityFixes"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/50474"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/50496"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/50885"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2012/dsa-2538"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/09/04/4"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/09/05/2"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-1604-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://moinmo.in/SecurityFixes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/50474"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/50496"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/50885"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2012/dsa-2538"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/09/04/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/09/05/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-1604-1"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}