Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Bugzilla < 3.2.8 / 3.4.8 / 3.6.2 / 3.7.3 Multiple Vulnerabilities

Medium

Synopsis

The remote web server is hosting an application that is vulnerable to multiple attack vectors.

Description

The remote web server is hosting Bugzilla, a web-based bug tracking application.

Versions of Bugzilla 3.2.x earlier than 3.2.8, 3.4.x earlier than 3.4.8, 3.6.x earlier than 3.6.2, and 3.7.x earlier than 3.7.3 are potentially affected by multiple vulnerabilities :

- It is possible to (at least partially) determine the membership of any group using the Search interface. (CVE-2010-2756).

- It is possible to use the 'sudo' feature without sending a notification to the user being impersonated. (CVE-2010-2757)

- The 'Reports' and 'Duplicates' pages let you guess the name of products you can't see, due to the error message that is thrown. (CVE-2010-2758)

- For installations using PostgreSQL, specifying "bug X" or "Attachment X" in a comment can deny access to the bug if X is larger than the maximum 32-bit signed integer size. (CVE-2010-2759)

Solution

Upgrade to Bugzilla 3.2.8, 3.4.8, 3.6.2, 3.7.3, or later.