<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Soap-Api - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/soap-api/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/soap-api/feed.xml" rel="self" type="application/rss+xml"/><item><title>MantisBT Authentication Bypass via SOAP API on MySQL</title><link>https://feed.craftedsignal.io/briefs/2024-01-mantisbt-auth-bypass/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-mantisbt-auth-bypass/</guid><description>MantisBT instances running on MySQL are vulnerable to an authentication bypass in the SOAP API due to improper type checking on the password parameter, allowing attackers with a valid username to log in without the actual password.</description><content:encoded><![CDATA[<p>MantisBT, a widely used web-based bug tracking system, is susceptible to a critical authentication bypass vulnerability (CVE-2026-30849) affecting instances utilizing MySQL or compatible databases. This flaw stems from inadequate type checking on the password parameter within the SOAP API. Specifically, the vulnerability exists in MantisBT versions prior to 2.28.1. An attacker who knows a valid username can exploit this weakness to gain unauthorized access to the SOAP API, circumventing the need for the correct password. Other database backends are not affected due to their stricter type handling. Successful exploitation grants the attacker the ability to execute any API function accessible to the compromised user, posing a significant risk of data breaches, system compromise, and unauthorized modifications.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable MantisBT instance running on MySQL or a compatible database.</li>
<li>Attacker obtains a valid username for the MantisBT instance (e.g., through OSINT or social engineering).</li>
<li>Attacker crafts a malicious SOAP envelope containing the target username and a manipulated password parameter designed to exploit the type checking vulnerability.</li>
<li>Attacker sends the crafted SOAP request to the MantisBT instance's SOAP API endpoint.</li>
<li>The vulnerable MantisBT instance improperly processes the password parameter due to insufficient type validation.</li>
<li>The MantisBT instance authenticates the attacker as the targeted user without requiring the correct password.</li>
<li>Attacker leverages the authenticated SOAP API session to execute privileged API functions.</li>
<li>Attacker exfiltrates sensitive bug data, modifies bug reports, or performs other malicious actions within the MantisBT system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to a MantisBT instance. The impact includes potential data breaches involving sensitive bug reports, project information, and user data. Attackers can modify or delete bug reports, disrupt project workflows, or escalate their access to other systems connected to the MantisBT instance. While the exact number of affected MantisBT installations is unknown, the widespread use of MantisBT across various sectors suggests a potentially broad impact. Disabling the SOAP API mitigates the risk, but still allows the attacker to retrieve user account information including email address and real name.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade MantisBT to version 2.28.1 or later to patch CVE-2026-30849 and remediate the authentication bypass vulnerability.</li>
<li>If upgrading is not immediately feasible, disable the SOAP API as a workaround, referencing the <a href="https://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.config.api.disable">MantisBT documentation</a> .</li>
<li>Monitor web server logs for suspicious SOAP API requests containing unusual password parameters indicative of exploitation attempts. Deploy a webserver rule to detect unusual password parameters in SOAP API requests.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>mantisbt</category><category>authentication-bypass</category><category>soap-api</category></item></channel></rss>