#VU40919 Command Injection in Bugzilla and Fedora - CVE-2014-8630

Cybersecurity Help s.r.o.

Published: 2015-02-01 | Updated: 2020-08-09

Vulnerability identifier: #VU40919

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-8630

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Bugzilla
Web applications / Other software
Fedora
Operating systems & Components / Operating system

Vendor: Mozilla
Fedoraproject

Description

The vulnerability allows a remote #AU# to read and manipulate data.

Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Bugzilla: 4.1 - 4.5.6

Fedora: 4.1 - 21

External links
https://advisories.mageia.org/MGASA-2015-0048.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149921.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149925.html
https://www.bugzilla.org/security/4.0.15/
https://www.mandriva.com/security/advisories?name=MDVSA-2015:030
https://bugzilla.mozilla.org/show_bug.cgi?id=1079065
https://security.gentoo.org/glsa/201607-11

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 21 update for bugzilla

Command Injection in Mozilla Bugzilla