Vulnerability identifier: #VU40919
Vulnerability risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-77
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Bugzilla
Web applications /
Other software
Fedora
Operating systems & Components /
Operating system
Vendor:
Mozilla
Fedoraproject
Description
The vulnerability allows a remote #AU# to read and manipulate data.
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Bugzilla: 4.1 - 4.5.6
Fedora: 4.1 - 21
External links
https://advisories.mageia.org/MGASA-2015-0048.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149921.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149925.html
https://www.bugzilla.org/security/4.0.15/
https://www.mandriva.com/security/advisories?name=MDVSA-2015:030
https://bugzilla.mozilla.org/show_bug.cgi?id=1079065
https://security.gentoo.org/glsa/201607-11
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.