You are here

U-223: Bugzilla May Disclose Confidential Information to Remote Users

July 30, 2012 - 7:00am

Addthis

PROBLEM:

Bugzilla May Disclose Confidential Information to Remote Users

PLATFORM:

Version(s): 2.17.5 to 3.6.9, 3.7.1 to 4.0.6, 4.1.1 to 4.2.1, 4.3.1

ABSTRACT:

Two vulnerabilities were reported in Bugzilla.

referenceĀ  LINKS:

The Vendor's Advisory
Security Advisories
CVE-2012-1969
CVE-2012-1968
SecurityTracker Alert ID: 1027320
Bug 777586

IMPACT ASSESSMENT:

High

Discussion:

Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla:

In HTML bugmails, an improper validation of the permissions of the addressee can lead to confidential information about bugs and attachments to be visible to the addressee.

The description of a private attachment can be visible to a user who hasn't permissions to access this attachment if the attachment ID is mentioned in a comment in a bug.

Impact:

A remote user can obtain potentially sensitive information.

Solution:

The vendor has issued a fix (3.6.10, 4.0.7, 4.2.2, and 4.3.2).

Addthis