Executive Summary
Summary | |
---|---|
Title | Bugzilla: Multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | GLSA-201006-19 | First vendor Publication | 2010-06-04 |
Vendor | Gentoo | Last vendor Modification | 2010-06-04 |
Severity (Vendor) | Normal | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Synopsis Bugzilla is prone to multiple medium severity vulnerabilities. Background Description Impact Workaround Resolution Bugzilla 2.x and 3.0 have reached their end of life. There will be no more security updates. All Bugzilla 2.x and 3.0 users should update to a supported Bugzilla 3.x version. References Availability http://security.gentoo.org/glsa/glsa-201006-19.xml |
Original Source
Url : http://security.gentoo.org/glsa/glsa-201006-19.xml |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
43 % | CWE-352 | Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25) |
21 % | CWE-264 | Permissions, Privileges, and Access Controls |
14 % | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25) |
7 % | CWE-255 | Credentials Management |
7 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
7 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13667 | |||
Oval ID: | oval:org.mitre.oval:def:13667 | ||
Title: | DSA-1913-1 bugzilla -- SQL injection vulnerability | ||
Description: | Max Kanat-Alexander, Bradley Baetz, and Frédéric Buclin discovered an SQL injection vulnerability in the Bug.create WebService function in Bugzilla, a web-based bug tracking system, which allows remote attackers to execute arbitrary SQL commands. For the stable distribution, this problem has been fixed in version 3.0.4.1-2+lenny2. The oldstable distribution isn’t affected by this problem. For the testing distribution and the unstable distribution , this problem will be fixed soon. We recommend that you upgrade your bugzilla packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1913-1 CVE-2009-3165 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | bugzilla |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:7942 | |||
Oval ID: | oval:org.mitre.oval:def:7942 | ||
Title: | DSA-1913 bugzilla -- SQL injection vulnerability | ||
Description: | Max Kanat-Alexander, Bradley Baetz, and Frédéric Buclin discovered an SQL injection vulnerability in the Bug.create WebService function in Bugzilla, a web-based bug tracking system, which allows remote attackers to execute arbitrary SQL commands. The oldstable distribution (etch) isn't affected by this problem. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1913 CVE-2009-3165 | Version: | 3 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | bugzilla |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-03-09 | Name : Gentoo Security Advisory GLSA 201006-19 (bugzilla) File : nvt/glsa_201006_19.nasl |
2010-11-16 | Name : Fedora Update for bugzilla FEDORA-2010-17235 File : nvt/gb_fedora_2010_17235_bugzilla_fc12.nasl |
2010-08-30 | Name : Fedora Update for bugzilla FEDORA-2010-13072 File : nvt/gb_fedora_2010_13072_bugzilla_fc12.nasl |
2010-08-02 | Name : Bugzilla URL Password Information Disclosure Vulnerability File : nvt/gb_bugzilla_url_info_disc_vuln.nasl |
2010-07-06 | Name : Fedora Update for bugzilla FEDORA-2010-10398 File : nvt/gb_fedora_2010_10398_bugzilla_fc12.nasl |
2010-03-02 | Name : Fedora Update for bugzilla FEDORA-2010-1458 File : nvt/gb_fedora_2010_1458_bugzilla_fc11.nasl |
2010-02-10 | Name : FreeBSD Ports: bugzilla File : nvt/freebsd_bugzilla9.nasl |
2010-02-02 | Name : Bugzilla Directory Access Information Disclosure Vulnerability File : nvt/bugzilla_38025.nasl |
2010-02-02 | Name : Bugzilla Group Selection During Bug Move Information Disclosure Vulnerability File : nvt/bugzilla_38026.nasl |
2009-10-27 | Name : Debian Security Advisory DSA 1913-1 (bugzilla) File : nvt/deb_1913_1.nasl |
2009-10-02 | Name : Mozilla Bugzilla 'Bug.search()' WebService Function SQL Injection Vulnerability File : nvt/bugzilla_36371.nasl |
2009-10-02 | Name : Mozilla Bugzilla 'Bug.create()' WebService Function SQL Injection Vulnerability File : nvt/bugzilla_36373.nasl |
2009-09-21 | Name : Fedora Core 10 FEDORA-2009-9550 (bugzilla) File : nvt/fcore_2009_9550.nasl |
2009-09-21 | Name : Fedora Core 11 FEDORA-2009-9554 (bugzilla) File : nvt/fcore_2009_9554.nasl |
2009-09-21 | Name : FreeBSD Ports: bugzilla File : nvt/freebsd_bugzilla7.nasl |
2009-07-29 | Name : Fedora Core 10 FEDORA-2009-7669 (bugzilla) File : nvt/fcore_2009_7669.nasl |
2009-04-15 | Name : Fedora Core 10 FEDORA-2009-3410 (bugzilla) File : nvt/fcore_2009_3410.nasl |
2009-04-15 | Name : Fedora Core 9 FEDORA-2009-3405 (bugzilla) File : nvt/fcore_2009_3405.nasl |
2009-03-31 | Name : Bugzilla 'attachment.cgi' Cross Site Request Forgery Vulnerability File : nvt/bugzilla_34308.nasl |
2009-03-20 | Name : Fedora Core 9 FEDORA-2009-2418 (bugzilla) File : nvt/fcore_2009_2418.nasl |
2009-03-20 | Name : Fedora Core 10 FEDORA-2009-2417 (bugzilla) File : nvt/fcore_2009_2417.nasl |
2008-09-04 | Name : FreeBSD Ports: bugzilla, ja-bugzilla File : nvt/freebsd_bugzilla5.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
62149 | Bugzilla Multiple Directory Access Restriction Weakness Remote Information Di... |
62148 | Bugzilla Product Category Group Restriction Weakness Remote Information Discl... |
58089 | Bugzilla token.cgi HTTP Referer Header URL Password Disclosure Bugzilla contains a flaw that may lead to an unauthorized information disclosure. Â The issue is triggered when a user who has reset their password immediately logs in, which will disclose password information in the HTTP Referer header resulting in a loss of confidentiality. |
58088 | Bugzilla Bug.create WebService Function Unspecified SQL Injection Bugzilla contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the Bug.create WebService function not properly sanitizing user-supplied input to an unspecified variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database. |
58087 | Bugzilla Bug.search WebService Function Unspecified SQL Injection Bugzilla contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the Bug.search WebService function not properly sanitizing user-supplied input to an unspecified variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database. |
54057 | Bugzilla with mod_perl Startup Token Entropy Weakness |
54056 | Bugzilla editflagtypes.cgi Unused Flag Type Deletion CSRF |
54055 | Bugzilla buglist.cgi Shared / Saved Search Deletion CSRF |
54054 | Bugzilla userprefs.cgi Keywords / User Preference Deletion CSRF |
54053 | Bugzilla editkeywords.cgi Keywords / User Preference Deletion CSRF |
54052 | Bugzilla process_bug.cgi Bug Update Activity CSRF |
54051 | Bugzilla Uploaded Attachment Handling XSS |
53069 | Bugzilla attachment.cgi Attachment Editing Authentication Bypass CSRF |
49731 | Bugzilla quips.cgi Unspecified Crafted Variable Security Bypass |
47547 | Bugzilla importxml.pl filename Parameter Traversal Arbitrary File Access |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2010-08-29 | Name : The remote Fedora host is missing a security update. File : fedora_2010-13072.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-1458.nasl - Type : ACT_GATHER_INFO |
2010-06-04 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201006-19.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1913.nasl - Type : ACT_GATHER_INFO |
2010-02-10 | Name : A CGI hosted on the remote web server is affected by an information disclosur... File : bugzilla_directory_access.nasl - Type : ACT_ATTACK |
2010-02-02 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_696053c60f5011dfa628001517351c22.nasl - Type : ACT_GATHER_INFO |
2009-09-21 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9550.nasl - Type : ACT_GATHER_INFO |
2009-09-21 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9554.nasl - Type : ACT_GATHER_INFO |
2009-09-18 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_b9ec7fe3a38a11de9c6b003048818f40.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2009-2417.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2009-3410.nasl - Type : ACT_GATHER_INFO |
2009-04-08 | Name : The remote Fedora host is missing a security update. File : fedora_2009-3405.nasl - Type : ACT_GATHER_INFO |
2009-03-19 | Name : The remote Fedora host is missing a security update. File : fedora_2009-2418.nasl - Type : ACT_GATHER_INFO |
2008-08-17 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_1d96305d6ae611dd91d5000c29d47fd7.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:36:54 |
|