CVE-2008-2105

Name of the Vulnerable Software and Affected Versions Bugzilla versions 2.23.4, 3.0.x through 3.0.3, 3.1.x through 3.1.3

Description The issue allows remote authenticated users to more easily spoof the changer of a bug via a @reporter command in the body of an e-mail message. This occurs because the @reporter command overrides the e-mail address as normally obtained from the From e-mail header. Note that since From headers are easily spoofed, this only crosses privilege boundaries in environments that provide additional verification of e-mail addresses.

Recommendations For Bugzilla version 2.23.4, update to a version later than 2.23.4 to resolve the issue. For Bugzilla versions 3.0.x through 3.0.3, update to version 3.0.4 or later. For Bugzilla versions 3.1.x through 3.1.3, update to version 3.1.4 or later.