Input validation error in Bugzilla - CVE-2011-2979
Published: August 9, 2011 / Updated: August 11, 2020
Vulnerability identifier: #VU44827
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2011-2979
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mozilla
Affected software:
Bugzilla
Bugzilla
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Bugzilla 4.1.x before 4.1.3 generates different responses for certain assignee queries depending on whether the group name is valid, which allows remote attackers to determine the existence of private group names via a custom search. NOTE: this vulnerability exists because of a CVE-2010-2756 regression.
How to mitigate CVE-2011-2979
Install update from vendor's website.
Sources
- http://secunia.com/advisories/45501
- http://www.bugzilla.org/security/3.4.11/
- http://www.debian.org/security/2011/dsa-2322
- http://www.osvdb.org/74298
- http://www.osvdb.org/74299
- http://www.securityfocus.com/bid/49042
- https://bugzilla.mozilla.org/show_bug.cgi?id=674497
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69166