Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Bugzilla < 4.0.16 / 4.1.1 < 4.2.12 / 4.3 < 4.4.7 / 4.5 < 4.5.6 Command Injection

Medium

Synopsis

The remote host is running a version of Bugzilla which is affected by a command injection vulnerability.

Description

The remote host is running Bugzilla, a bug tracking software with a web interface. All versions of Bugzilla prior to 4.0.16, 4.1.1 prior to 4.2.11, 4.3.1 prior to 4.4.6, and 4.5.1 prior to 4.5.6 are susceptible to a command injection vulnerability. This vulnerability exists due to a flaw which fails to properly utilize the three arguments form of the Perl 'open()' function. An attacker can exploit this issue by injecting commands into product names and other attributes. Successfully exploiting this issue may allow an attacker to execute arbitrary commands in the context of the affected application. Note : To exploit this issue an attacker must have an account with 'editcomponents' permission.

Solution

Upgrade to versions 4.0.16, 4.2.12, 4.4.7, 5.0rc1, or later.