PROBLEM:
Bugzilla May Disclose Confidential Information to Remote Users
PLATFORM:
Version(s): 2.17.5 to 3.6.9, 3.7.1 to 4.0.6, 4.1.1 to 4.2.1, 4.3.1
ABSTRACT:
Two vulnerabilities were reported in Bugzilla.
referenceĀ LINKS:
The Vendor's Advisory
Security Advisories
CVE-2012-1969
CVE-2012-1968
SecurityTracker Alert ID: 1027320
Bug 777586
IMPACT ASSESSMENT:
High
Discussion:
Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla:
In HTML bugmails, an improper validation of the permissions of the addressee can lead to confidential information about bugs and attachments to be visible to the addressee.
The description of a private attachment can be visible to a user who hasn't permissions to access this attachment if the attachment ID is mentioned in a comment in a bug.
Impact:
A remote user can obtain potentially sensitive information.
Solution:
The vendor has issued a fix (3.6.10, 4.0.7, 4.2.2, and 4.3.2).