Bugzilla 3.7/3.7.1 Information Disclosure

medium Nessus Plugin ID 47748

Synopsis

The remote web server contains a CGI script that suffers from an information disclosure vulnerability.

Description

According to its banner, the version of Bugzilla installed on the remote host fails to restrict access to bugs created with inbound email interface (email_in.pl) or with 'Bug.create' method in the WebServices interface to 'mandatory' or 'Default' groups. This could allow bug information to become publicly available instead of being restricted to certain groups.

Solution

Upgrade to Bugzilla 3.7.2 or later.

See Also

https://bugzilla.mozilla.org/show_bug.cgi?id=574892

https://www.bugzilla.org/security/3.7.1/

Plugin Details

Severity: Medium

ID: 47748

File Name: bugzilla_3_7_1.nasl

Version: 1.11

Type: remote

Family: CGI abuses

Published: 7/16/2010

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:mozilla:bugzilla

Required KB Items: Settings/ParanoidReport, installed_sw/Bugzilla

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/5/2010

Vulnerability Publication Date: 7/5/2010

Reference Information

BID: 41397