Bugzilla unauthorized account Creation Vulnerability (CVE-2014-1572)

Bugzilla unauthorized account Creation Vulnerability (CVE-2014-1572)

Release date: 2014-10-09
Updated on: 2014-10-09

Affected Systems:
Bugzilla 4.5.1-4.5.5
Bugzilla 4.3.1-4.4.5
Bugzilla 4.1.1-4.2.10
Bugzilla 2.23.3-4.0.14
Unaffected system:
Bugzilla 4.5.6
Bugzilla 4.4.6
Bugzilla 4.2.11
Bugzilla 4.0.15
Description:
CVE (CAN) ID: CVE-2014-1572

Bugzilla is an open-source defect tracking system that manages the entire lifecycle of defects in software development, such as submitting, repairing, and disabling defects. It is widely used in open-source projects, such as Apache Software Foundation, Linux kernel, LibreOffice, OpenOffice, OpenSSH, Eclipse, KDE, GNOME, and various Linux releases.

The unauthenticated Account creation vulnerability exists in the implementation of Bugzilla, which allows attackers to create a new Bugzilla account and overwrite some parameters when creating a final account, as a result, users are created in emails different from those originally requested. The overwritten login name is automatically added to the group according to the group Regular Expression settings.

<* Source: Check Point Software Technologies
Simon Green
Byron Jones
James Kettle
Netanel Rubin
Frederic Buclin
Matt Tyson
David Lawrence

Link: http://www.bugzilla.org/security/4.0.14/
*>

Suggestion:
Vendor patch:

Bugzilla
--------
For this reason, Bugzilla has released a Security Bulletin (4.0.14) and corresponding patches:
4.0.14: 4.0.14, 4.2.10, 4.4.5, and 4.5.5 Security Advisory
Link: http://www.bugzilla.org/security/4.0.14/

Patch download: http://www.bugzilla.org/download/

Reference: https://bugzilla.mozilla.org/show_bug.cgi? Id = 1074812

Release of all Bugzilla updates to fix important vulnerabilities

Install Bugzilla 4.2 On Fedora 16

Bugzilla Installation Process

Configure Bugzilla in Debian7 & Ubuntu 13.10

For details about Bugzilla, click here
For Bugzilla: click here

This article permanently updates the link address: