PT-2013-2613 · Mozilla · Bugzilla

Published

2013-02-24

Updated

2013-12-13

CVE-2013-0786

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Bugzilla versions 2.x through 3.6.12 Bugzilla versions 3.7.x Bugzilla versions 4.0.x through 4.0.9

Description The issue allows remote attackers to discover private product names by using debug mode for a query. This is due to the Bugzilla::Search::build subselect function generating different error messages for invalid product queries depending on whether a product exists.

Recommendations For Bugzilla versions 2.x through 3.6.12, update to version 3.6.13 or later. For Bugzilla versions 3.7.x, update to a version that is not affected by this issue. For Bugzilla versions 4.0.x through 4.0.9, update to version 4.0.10 or later.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2013-0786

Affected Products

Bugzilla

PT-2013-2613 · Mozilla · Bugzilla

CVE-2013-0786

Weakness Enumeration

Related Identifiers

Affected Products

References · 5