Command Injection in Mozilla Bugzilla

1) Command Injection

EUVDB-ID: #VU40919

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-8630

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote #AU# to read and manipulate data.

Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Bugzilla: 4.1 - 4.5.6

Fedora: 4.1 - 21

CPE2.3

• cpe:2.3:a:mozilla:bugzilla:4.1:*:*:*:*:*:*:*
• cpe:2.3:a:mozilla:bugzilla:4.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:mozilla:bugzilla:4.1.2:*:*:*:*:*:*:*
• cpe:2.3:o:fedoraproject:fedora:4.1:*:*:*:*:*:*:*
• cpe:2.3:o:fedoraproject:fedora:4.1.1:*:*:*:*:*:*:*
• cpe:2.3:o:fedoraproject:fedora:4.1.2:*:*:*:*:*:*:*

External links

https://advisories.mageia.org/MGASA-2015-0048.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149921.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149925.html
https://www.bugzilla.org/security/4.0.15/
https://www.mandriva.com/security/advisories?name=MDVSA-2015:030
https://bugzilla.mozilla.org/show_bug.cgi?id=1079065
https://security.gentoo.org/glsa/201607-11

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.