Bugzilla < 3.0.11 / 3.2.6 / 3.4.5 / 3.5.3 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 5331

Synopsis

The remote web server is hosting an application that is vulnerable to multiple attack vectors.

Description

The remote web server is hosting a version of Bugzilla that is earlier than 3.0.11, 3.2.6, 3.4.5, or 3.5.3. Such versions are potentially affected by multiple vulnerabilities :

- Bugzilla allows web browsers to serve the contents of files in the 'CVS/', 'contrib/', 'docs/en/xml', and 't/' directories as well as the 'old-params.txt' file.

- When moving a bug from one product to another, an intermediate web page is displayed letting you select the groups the bug should be restricted to in the new product. Because of a regression in Bugzilla 3.4.x involving groups, a private bug could temporarily become a public.

Solution

Upgrade to Bugzilla 3.0.11, 3.2.6, 3.4.5, 3.5.3, or later.

See Also

http://www.bugzilla.org/security/3.0.10

Plugin Details

Severity: Medium

ID: 5331

Family: CGI

Published: 2/1/2010

Updated: 3/6/2019

Nessus ID: 44426

Risk Information

VPR

Risk Factor: Low

Score: 3.7

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:bugzilla

Patch Publication Date: 1/31/2010

Vulnerability Publication Date: 2/1/2010

Reference Information

CVE: CVE-2009-3387, CVE-2009-3989

BID: 38025, 38026