Bugzilla Discloses Attachment Description and 'Deadline' Field to Remote Users
|
|
SecurityTracker Alert ID: 1017064 |
|
SecurityTracker URL: http://securitytracker.com/id/1017064
|
|
CVE Reference:
CVE-2006-5454
(Links to External Site)
|
Updated: Jun 2 2008
|
Original Entry Date: Oct 16 2006
|
Impact:
Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in Bugzilla. A remote user can view private information.
A user that is not in the 'insidergroup' can read the one-line descriptions of all attachments when in 'Diff' mode, even if the attachment is private. Version 2.17 (and later) is affected.
A user that is not in the 'timetrackinggroup' can view the 'deadline' field via the XML format. Version 2.19.2 (and later) is affected.
|
Impact:
A remote user can private information.
|
Solution:
The vendor has issued fixed versions (2.18.6, 2.20.3, 2.22.1, and 2.23.3), available at:
http://www.bugzilla.org/download.html
|
Vendor URL: www.bugzilla.org/security/2.18.5/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 15 Oct 2006 21:08:34 -0400
Subject: Bugzilla vulnerabilities
|
http://www.bugzilla.org/security/2.18.5/
|
|
