CVE-2025-2545

Vulnerability in Best Practical Solutions, LLC's Request Tracker prior to v5.0.8, where the Triple DES (3DES) cryptographic algorithm is used to protect emails sent with S/MIME encryption. Triple DES is considered obsolete and insecure due to its susceptibility to birthday attacks, which could compromise the confidentiality of encrypted messages.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
INCIBECNA
---
---
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
Debian logo
Debian Releases
Debian Product
Codename
request-tracker4
bullseye
vulnerable
bullseye (security)
4.4.4+dfsg-2+deb11u5
fixed
bookworm
4.4.6+dfsg-1.1+deb12u3
fixed
bookworm (security)
4.4.6+dfsg-1.1+deb12u3
fixed
sid
vulnerable
request-tracker5
bookworm
5.0.3+dfsg-3~deb12u4
fixed
bookworm (security)
5.0.3+dfsg-3~deb12u4
fixed
trixie (security)
5.0.7+dfsg-4+deb13u1
fixed
trixie
5.0.7+dfsg-4+deb13u1
fixed
forky
5.0.7+dfsg-6
fixed
sid
5.0.7+dfsg-6
fixed
Common Weakness Enumeration
References
https://www.incibe.es/en/incibe-cert/notices/aviso/cryptographic-algorithm-not-recommended-request-tracker-best-practical
https://docs.bestpractical.com/release-notes/rt/4.4.8
https://docs.bestpractical.com/release-notes/rt/5.0.8
https://lists.debian.org/debian-lts-announce/2025/05/msg00009.html