Detections
Analytics

Bugzilla < 4.0.16 / 4.1.1 < 4.2.12 / 4.3 < 4.4.7 / 4.5 < 4.5.6 Command Injection

medium Nessus Network Monitor Plugin ID 8913

Synopsis

The remote host is running a version of Bugzilla which is affected by a command injection vulnerability.

Description

The remote host is running Bugzilla, a bug tracking software with a web interface. All versions of Bugzilla prior to 4.0.16, 4.1.1 prior to 4.2.11, 4.3.1 prior to 4.4.6, and 4.5.1 prior to 4.5.6 are susceptible to a command injection vulnerability. This vulnerability exists due to a flaw which fails to properly utilize the three arguments form of the Perl 'open()' function. An attacker can exploit this issue by injecting commands into product names and other attributes. Successfully exploiting this issue may allow an attacker to execute arbitrary commands in the context of the affected application.
Note : To exploit this issue an attacker must have an account with 'editcomponents' permission.

Solution

Upgrade to versions 4.0.16, 4.2.12, 4.4.7, 5.0rc1, or later.

See Also

http://www.bugzilla.org/security/4.0.15

https://bugzilla.mozilla.org/show_bug.cgi?id=1079065

https://bugzilla.mozilla.org/show_bug.cgi?id=1090275

Plugin Details

Severity: Medium

ID: 8913

Family: CGI

Published: 2/20/2015

Updated: 3/6/2019

Nessus ID: 81424

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS v3

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:bugzilla

Patch Publication Date: 1/21/2015

Vulnerability Publication Date: 1/21/2015

Reference Information

CVE: CVE-2014-8630

BID: 72525