Bugzilla < 4.0.15 / 4.2.11 / 4.4.6 / 4.5.6 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 8606

Synopsis

The remote host is running a version of Bugzilla which is affected by multiple vulnerabilities.

Description

The remote host is running Bugzilla, a bug-tracking software with a web interface. The version of Bugzilla on the remote host is susceptible to the following vulnerabilities :

- A security-bypass vulnerability because it fails to verify the email id during account creation. Specifically, this issue occurs because the login names are automatically added to groups based on the domain. This issue affects the 'realname' parameter.(CVE-2014-1572)

- Multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input submitted to CGI arguments.(CVE-2014-1573)

- An information disclosure vulnerability because a flag mail recipient who is not in an insider group can view the private comments.(CVE-2014-1571)

Solution

Upgrade to Bugzilla 4.0.15 / 4.2.11 / 4.4.6 / 4.5.6 or later.

See Also

http://www.bugzilla.org/security/4.0.14

https://bugzilla.mozilla.org/show_bug.cgi?id=1074812

https://bugzilla.mozilla.org/show_bug.cgi?id=1075578

https://bugzilla.mozilla.org/show_bug.cgi?id=1064140

Plugin Details

Severity: High

ID: 8606

Family: CGI

Published: 2015/02/09

Modified: 2016/01/15

Dependencies: 1442

Nessus ID: 78069

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:bugzilla

Patch Publication Date: 2014/11/03

Vulnerability Publication Date: 2014/10/06

Reference Information

CVE: CVE-2014-1571, CVE-2014-1572, CVE-2014-1573

BID: 70256, 70257, 70258