Bug 925369 (CVE-2014-2027) - VUL-0: CVE-2014-2027: eGroupware before 1.8.006.20140217 allows remote attackers to conduct PHP objectinjection attacks, ...
Summary: VUL-0: CVE-2014-2027: eGroupware before 1.8.006.20140217 allows remote attack...
Status: RESOLVED FIXED
Alias: CVE-2014-2027
Product: openSUSE.org
Classification: openSUSE
Component: 3rd party software (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major (vote)
Target Milestone: ---
Assignee: Forgotten User PUSREQqWAA
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-01 08:37 UTC by Andreas Stieger
Modified: 2015-04-02 06:44 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-01 08:37:32 UTC 
CVE-2014-2027

eGroupware before 1.8.006.20140217 allows remote attackers to conduct PHP object
injection attacks, delete arbitrary files, and possibly execute arbitrary code
via the (1) addr_fields or (2) trans parameter to addressbook/csv_import.php,
(3) cal_fields or (4) trans parameter to calendar/csv_import.php, (5)
info_fields or (6) trans parameter to csv_import.php in (a) projectmanager/ or
(b) infolog/, or (7) processed parameter to
preferences/inc/class.uiaclprefs.inc.php.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2027
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2027
http://openwall.com/lists/oss-security/2014/02/19/4
http://advisories.mageia.org/MGASA-2014-0116.html
http://www.mandriva.com/security/advisories?name=MDVSA-2015:087
http://sourceforge.net/projects/egroupware/files/eGroupware-1.8/README/download
http://openwall.com/lists/oss-security/2014/02/19/10


Not in an openSUSE release, but in server:eGroupWare.
Comment 1 Swamp Workflow Management 2015-04-01 22:00:25 UTC 
bugbot adjusting priority
Comment 2 Forgotten User PUSREQqWAA 2015-04-02 06:44:11 UTC 
This bug is fixed for more then 1 year!

openSUSE build-service contains our current version 14.2.20150310 and our old stable version 1.8.007.20150218.

Both contain the necessary fixes.

Ralf