Bugzilla Command Injection and Security Restriction Bypass Vulnerability
Release date:
Updated on:
Affected Systems:
Bugzilla
Description:
CVE (CAN) ID: CVE-2014-8630
Bugzilla is an open source defect tracking system.
Bugzilla does not properly filter some input, which can cause injection and execution of any shell command. To successfully exploit this vulnerability, the "editcomponents" permission is required; the WebServices module does not properly restrict the API methods in XML and JSON APIs, which may result in restricted access.
<* Source: John Lightsey (john@nixnuts.net)
Link: http://secunia.com/advisories/62458/
*>
Suggestion:
Vendor patch:
Bugzilla
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Bugzilla:
Http://www.bugzilla.org/security/4.0.15/
John Lightsey:
Https://bugzilla.mozilla.org/show_bug.cgi? Id = 1079065
David Lawrence:
Https://bugzilla.mozilla.org/show_bug.cgi? Id = 1090275
Release of all Bugzilla updates to fix important vulnerabilities
Install Bugzilla 4.2 On Fedora 16
Bugzilla Installation Process
Configure Bugzilla in Debian7 & Ubuntu 13.10
For details about Bugzilla, click here
For Bugzilla: click here
This article permanently updates the link address: