Bugzilla < 4.0.16 / 4.1.1 < 4.2.12 / 4.3 < 4.4.7 / 4.5 < 4.5.6 Command Injection
Medium Nessus Network Monitor Plugin ID 8913
SynopsisThe remote host is running a version of Bugzilla which is affected by a command injection vulnerability.
DescriptionThe remote host is running Bugzilla, a bug tracking software with a web interface. All versions of Bugzilla prior to 4.0.16, 4.1.1 prior to 4.2.11, 4.3.1 prior to 4.4.6, and 4.5.1 prior to 4.5.6 are susceptible to a command injection vulnerability. This vulnerability exists due to a flaw which fails to properly utilize the three arguments form of the Perl 'open()' function. An attacker can exploit this issue by injecting commands into product names and other attributes. Successfully exploiting this issue may allow an attacker to execute arbitrary commands in the context of the affected application.
Note : To exploit this issue an attacker must have an account with 'editcomponents' permission.
SolutionUpgrade to versions 4.0.16, 4.2.12, 4.4.7, 5.0rc1, or later.