CVE-2024-34080 – MantisBT versions before 2.26.2 have an informa... (How to Fix)

Q: What is the severity of CVE-2024-34080?

CVE-2024-34080 has a CVSS score of 5.3 (MEDIUM). MantisBT versions before 2.26.2 have an information disclosure vulnerability where users can see metadata about notes they shouldn't have access to. When an issue references a note from another restricted issue, the hyperlink reveals the note's existence, author name, creation timestamp, and issue ID. This affects all MantisBT instances with multiple users and permission-based access controls.

📋 TL;DR

MantisBT versions before 2.26.2 have an information disclosure vulnerability where users can see metadata about notes they shouldn't have access to. When an issue references a note from another restricted issue, the hyperlink reveals the note's existence, author name, creation timestamp, and issue ID. This affects all MantisBT instances with multiple users and permission-based access controls.

💻 Affected Systems

Products:

Mantis Bug Tracker (MantisBT)

Versions: All versions before 2.26.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with multiple users and permission-based access controls where some users have restricted access to certain issues.

📦 What is this software?

Mantisbt by Mantisbt

View all CVEs affecting Mantisbt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could map internal issue IDs, identify active investigations, and potentially infer sensitive project details or personnel involvement through systematic enumeration of note metadata.

🟠

Likely Case

Internal users accidentally discover restricted note metadata while browsing accessible issues, potentially learning about confidential bug reports or security investigations they shouldn't know about.

🟢

If Mitigated

With proper access controls and monitoring, the impact is limited to metadata disclosure without actual note content, though it still violates least privilege principles.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires authentication, internet-facing instances could allow attackers to gather intelligence about internal issue tracking if they obtain valid credentials.

🏢 Internal Only: MEDIUM - Internal users with legitimate access to some issues could inadvertently discover metadata about restricted issues, potentially violating compartmentalization requirements.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and involves clicking hyperlinks in issues that reference notes from restricted issues. No special tools or advanced techniques needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.26.2

Vendor Advisory: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-99jc-wqmr-ff2q

Restart Required: No

Instructions:

1. Backup your MantisBT installation and database. 2. Download MantisBT 2.26.2 or later from mantisbt.org. 3. Replace existing files with new version (excluding config_inc.php and uploaded files). 4. Run admin/check.php to verify installation. 5. Clear browser cache if issues persist.

🧯 If You Can't Patch

Implement strict access controls and user education about not sharing issue links containing note references.
Monitor access logs for unusual patterns of issue navigation and implement additional logging for note metadata access attempts.

🔍 How to Verify

Check if Vulnerable:

Check if your MantisBT version is below 2.26.2 by viewing the version in the footer or running: grep -r "g_mantis_version" . | grep -v ".git"

Check Version:

grep "\$g_mantis_version" config_defaults_inc.php | cut -d"'" -f2

Verify Fix Applied:

After upgrading to 2.26.2 or later, create two issues with different access permissions, add a note to the restricted issue, reference it from the accessible issue, and verify the hyperlink no longer shows metadata.

📡 Detection & Monitoring

Log Indicators:

Multiple access denied errors for note access from same user
Patterns of users accessing issues with note references to restricted issues

Network Indicators:

HTTP requests to note.php endpoints returning 403 errors followed by continued browsing

SIEM Query:

source="mantisbt_access.log" (status=403 AND uri="*/note.php*") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2024-34080

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

Published: May 14, 2024

Last Updated: January 16, 2025

🔗 References

https://github.com/mantisbt/mantisbt/commit/0a50562369d823689c9b946066d1e49d3c2df226 Patch
https://github.com/mantisbt/mantisbt/pull/2000 Patch
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-99jc-wqmr-ff2q Vendor Advisory
https://mantisbt.org/bugs/view.php?id=34434 Issue Tracking,Patch,Vendor Advisory
https://github.com/mantisbt/mantisbt/commit/0a50562369d823689c9b946066d1e49d3c2df226 Patch
https://github.com/mantisbt/mantisbt/pull/2000 Patch
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-99jc-wqmr-ff2q Vendor Advisory
https://mantisbt.org/bugs/view.php?id=34434 Issue Tracking,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34080, you might also want to check these: