Internet threat level: 1
Home→Descriptions→SA38443
Bugzilla Information Disclosure Weaknesses
| Secunia ID | |
| CVE-ID | |
| Release Date |
01 Feb 2010 |
| Criticality | |
| Solution Status |
Vendor Patch |
| Software |
Bugzilla 3.x |
| Where | |
| Impact |
Exposure of sensitive informationVulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote. |
| Description |
Some weaknesses have been reported in Bugzilla, which can lead to the disclosure of sensitive information. 1) Bugzilla does not restrict access to the "CVS/", "contrib/", "docs/en/xml/", and "t/" directories and the "old-params.txt" file, which may contain sensitive information. Note: By default, these locations do not contain any sensitive information. This weakness is reported in all versions prior to 3.0.11, 3.2.6, 3.4.5, and 3.5.3. 2) An error within the group restriction when moving restricted bugs from one product to another can lead to unrestricted bugs, if e.g. no group is used in both products and no other group restrictions apply. This weakness is reported in versions 3.3.1 to 3.4.4, 3.5.1, and 3.5.2. |
| Solution |
Update to version 3.0.11, 3.2.6, 3.4.5, or 3.5.3. |
| Reported by |
1) Joel Peshkin and Frédéric Buclin |
| Original Advisory |
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.