Command Injection in Bugzilla and Fedora - CVE-2014-8630
Published: February 1, 2015 / Updated: August 9, 2020
Vulnerability identifier: #VU40919
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2014-8630
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mozilla
Fedoraproject
Fedoraproject
Affected software:
Bugzilla
Fedora
Bugzilla
Fedora
Detailed vulnerability description
The vulnerability allows a remote #AU# to read and manipulate data.
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.
How to mitigate CVE-2014-8630
Install update from vendor's website.
Sources
- http://advisories.mageia.org/MGASA-2015-0048.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149921.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149925.html
- http://www.bugzilla.org/security/4.0.15/
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:030
- https://bugzilla.mozilla.org/show_bug.cgi?id=1079065
- https://security.gentoo.org/glsa/201607-11