CVE-2005-3139

Name of the Vulnerable Software and Affected Versions Bugzilla versions 2.19.1 through 2.20rc2 Bugzilla version 2.21

Description The issue allows attackers to list all users whose names match an arbitrary substring when user matching is turned on in substring mode, even if the usevisibilitygroups parameter is set. This occurs because the substring mode does not properly respect the usevisibilitygroups parameter, leading to unauthorized user enumeration.

Recommendations For Bugzilla versions 2.19.1 through 2.20rc2, consider disabling the user matching feature in substring mode until a fix is available. For Bugzilla version 2.21, consider disabling the user matching feature in substring mode until a fix is available. As a temporary workaround, consider setting the usevisibilitygroups parameter to restrict user visibility, although this may not fully mitigate the issue.