Forums | Mahara Community

Security Announcements /
Security issue relating to passwords <15.04.9, <15.10.5, <16.04.3

Aaron Wells's profile picture
Posts: 896

08 August 2016, 5:40 PM

Under some error logging settings, Mahara prints a stacktrace to its error logs which includes the values of parameters passed to functions in the stack. Earlier patches attempted to prevent password strings from being included in this printout, but if passwords or other sensitive information were passed via unusual parameter names they could still wind up being printed into the error logs. (No specific cases of this happening in Mahara's standard distribution are known, however.)

Category: Password security
Severity: Medium
Versions Affected: <15.04.9, <15.10.5, <16.04.3
Reported by: Aaron Wells
Bug report:
CVE reference: 2017-1000151

We recommend that all Mahara administrators upgrade to the latest version: 15.04.9, 15.10.5, or 16.04.3.

Edits to this post:
1 result