Mantis Bug Tracker Authentication Bypass Vulnerability in SOAP API on MySQL

An authentication bypass vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions prior to 2.28.1, specifically in instances using MySQL or compatible databases. The vulnerability arises from improper type checking of the password parameter in the SOAP API, allowing an attacker who knows the victim's username to log in without the actual password. This exploitation enables the attacker to access and execute any API functions available to the victim's account. Other database backends are not affected, as they do not allow implicit type conversion from string to integer.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts via the SOAP API, enabling attackers to execute API functions on behalf of the victim. Additionally, if the SOAP API is not disabled, the attacker can access user account details such as email addresses and real names.

Remediation

Users can upgrade to MantisBT version 2.28.1 or later, where this vulnerability has been patched. For those unable to upgrade, disabling the SOAP API can significantly reduce the risk, although it does not completely eliminate it.