ID 92CA92C1-D859-11DE-89F9-001517351C22 Type freebsd Reporter FreeBSD Modified 2009-11-18T00:00:00
Description
A Bugzilla Security Advisory reports:
When a bug is in a group, none of its information
(other than its status and resolution) should be visible
to users outside that group. It was discovered that
as of 3.3.2, Bugzilla was showing the alias of the bug
(a very short string used as a shortcut for looking up
the bug) to users outside of the group, if the protected
bug ended up in the "Depends On" or "Blocks" list of any
other bug.
{"reporter": "FreeBSD", "published": "2009-11-18T00:00:00", "cvelist": ["CVE-2009-3386"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "3.4.4", "packageFilename": "UNKNOWN", "packageName": "bugzilla", "arch": "noarch", "operator": "lt"}], "title": "bugzilla -- information leak", "objectVersion": "1.2", "type": "freebsd", "href": "https://vuxml.freebsd.org/freebsd/92ca92c1-d859-11de-89f9-001517351c22.html", "bulletinFamily": "unix", "hashmap": [{"hash": "25fea346cb8f85ff28c0b797b1ab0a61", "key": "affectedPackage"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "cb1de9ec2bf483332f9a0a48993b8515", "key": "cvelist"}, {"hash": "a792e2393dff1e200b885c5245988f6f", "key": "cvss"}, {"hash": "850f552184450b0c04924775ac980c5e", "key": "description"}, {"hash": "b6ed8fe758a5ec9b39e1099b6eebbd6d", "key": "href"}, {"hash": "4e7db8f2517e8fdb048e6c5ca1640d49", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "4e7db8f2517e8fdb048e6c5ca1640d49", "key": "published"}, {"hash": "a29a986c3a7009c06f2ec5906d3c8a92", "key": "references"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "7a95d0012b04d11ec10620b0c066bf66", "key": "title"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "cfcd208495d565ef66e7dff9f98764da", "key": "viewCount"}], "history": [], "enchantments": {"vulnersScore": 5.0}, "modified": "2009-11-18T00:00:00", "hash": "1abd9be2cc602b09089acc0799a5e3e33bed1472f5f665de9d3eccdd927e91d0", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "viewCount": 0, "edition": 1, "description": "\nA Bugzilla Security Advisory reports:\n\nWhen a bug is in a group, none of its information\n\t (other than its status and resolution) should be visible\n\t to users outside that group. It was discovered that\n\t as of 3.3.2, Bugzilla was showing the alias of the bug\n\t (a very short string used as a shortcut for looking up\n\t the bug) to users outside of the group, if the protected\n\t bug ended up in the \"Depends On\" or \"Blocks\" list of any\n\t other bug.\n\n", "references": ["http://www.bugzilla.org/security/3.4.3/"], "id": "92CA92C1-D859-11DE-89F9-001517351C22", "lastseen": "2016-09-26T17:24:50"}
{"result": {"cve": [{"id": "CVE-2009-3386", "type": "cve", "title": "CVE-2009-3386", "description": "Template.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1 allows remote attackers to discover the alias of a private bug by reading the (1) Depends On or (2) Blocks field of a related bug.", "published": "2009-11-20T12:30:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3386", "cvelist": ["CVE-2009-3386"], "lastseen": "2017-08-17T11:14:28"}], "openvas": [{"id": "OPENVAS:66323", "type": "openvas", "title": "Fedora Core 12 FEDORA-2009-11919 (bugzilla)", "description": "The remote host is missing an update to bugzilla\nannounced via advisory FEDORA-2009-11919.", "published": "2009-12-03T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=66323", "cvelist": ["CVE-2009-3386"], "lastseen": "2017-07-25T10:56:43"}, {"id": "OPENVAS:66341", "type": "openvas", "title": "FreeBSD Ports: bugzilla", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2009-12-03T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=66341", "cvelist": ["CVE-2009-3386"], "lastseen": "2017-07-02T21:14:16"}, {"id": "OPENVAS:1361412562310100358", "type": "openvas", "title": "Bugzilla Bug Alias Information Disclosure Vulnerability", "description": "Bugzilla is prone to an information-disclosure vulnerability.\n\nThe issue may allow attackers to obtain potentially sensitive information that may aid in other attacks.\n\nThe issue affects the following:\n\nBugzilla 3.3.2 through 3.4.3 Bugzilla 3.5 through 3.5.1", "published": "2009-11-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100358", "cvelist": ["CVE-2009-3386"], "lastseen": "2018-01-26T11:17:10"}, {"id": "OPENVAS:136141256231066323", "type": "openvas", "title": "Fedora Core 12 FEDORA-2009-11919 (bugzilla)", "description": "The remote host is missing an update to bugzilla\nannounced via advisory FEDORA-2009-11919.", "published": "2009-12-03T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066323", "cvelist": ["CVE-2009-3386"], "lastseen": "2018-04-06T11:39:10"}, {"id": "OPENVAS:136141256231066341", "type": "openvas", "title": "FreeBSD Ports: bugzilla", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2009-12-03T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066341", "cvelist": ["CVE-2009-3386"], "lastseen": "2018-04-06T11:40:17"}, {"id": "OPENVAS:100358", "type": "openvas", "title": "Bugzilla Bug Alias Information Disclosure Vulnerability", "description": "Bugzilla is prone to an information-disclosure vulnerability.\n\nThe issue may allow attackers to obtain potentially sensitive\ninformation that may aid in other attacks.\n\nThe issue affects the following:\n\nBugzilla 3.3.2 through 3.4.3 Bugzilla 3.5 through 3.5.1", "published": "2009-11-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=100358", "cvelist": ["CVE-2009-3386"], "lastseen": "2017-07-02T21:14:09"}, {"id": "OPENVAS:1361412562310862217", "type": "openvas", "title": "Fedora Update for bugzilla FEDORA-2010-10398", "description": "Check for the Version of bugzilla", "published": "2010-07-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862217", "cvelist": ["CVE-2009-3386", "CVE-2010-1204", "CVE-2009-3387", "CVE-2009-3989"], "lastseen": "2018-01-18T11:05:04"}, {"id": "OPENVAS:862217", "type": "openvas", "title": "Fedora Update for bugzilla FEDORA-2010-10398", "description": "Check for the Version of bugzilla", "published": "2010-07-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=862217", "cvelist": ["CVE-2009-3386", "CVE-2010-1204", "CVE-2009-3387", "CVE-2009-3989"], "lastseen": "2017-12-20T13:18:24"}, {"id": "OPENVAS:862552", "type": "openvas", "title": "Fedora Update for bugzilla FEDORA-2010-17235", "description": "Check for the Version of bugzilla", "published": "2010-11-16T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=862552", "cvelist": ["CVE-2009-3386", "CVE-2010-1204", "CVE-2009-3387", "CVE-2010-3172", "CVE-2010-3764", "CVE-2009-3989"], "lastseen": "2018-01-02T10:54:37"}, {"id": "OPENVAS:1361412562310862552", "type": "openvas", "title": "Fedora Update for bugzilla FEDORA-2010-17235", "description": "Check for the Version of bugzilla", "published": "2010-11-16T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862552", "cvelist": ["CVE-2009-3386", "CVE-2010-1204", "CVE-2009-3387", "CVE-2010-3172", "CVE-2010-3764", "CVE-2009-3989"], "lastseen": "2018-01-25T10:55:17"}], "nessus": [{"id": "FREEBSD_PKG_92CA92C1D85911DE89F9001517351C22.NASL", "type": "nessus", "title": "FreeBSD : bugzilla -- information leak (92ca92c1-d859-11de-89f9-001517351c22)", "description": "A Bugzilla Security Advisory reports :\n\nWhen a bug is in a group, none of its information (other than its status and resolution) should be visible to users outside that group.\nIt was discovered that as of 3.3.2, Bugzilla was showing the alias of the bug (a very short string used as a shortcut for looking up the bug) to users outside of the group, if the protected bug ended up in the 'Depends On' or 'Blocks' list of any other bug.", "published": "2009-11-24T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=42875", "cvelist": ["CVE-2009-3386"], "lastseen": "2017-10-29T13:38:08"}, {"id": "FEDORA_2009-11919.NASL", "type": "nessus", "title": "Fedora 12 : bugzilla-3.4.4-1.fc12 (2009-11919)", "description": "Bugzilla 3.4.4 fixes security issues that were found in previous versions of the software where private information would be leaked to other users. CVE Number: CVE-2009-3386 See upstream security advisory for additional details: http://www.bugzilla.org/security/3.4.3/\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2009-11-25T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=42885", "cvelist": ["CVE-2009-3386"], "lastseen": "2017-10-29T13:35:47"}], "seebug": [{"id": "SSV:12668", "type": "seebug", "title": "Mozilla Bugzilla bug\u522b\u540d\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "description": "Bugraq ID: 37062\r\nCVE ID\uff1aCVE-2009-3386\r\n\r\nMozilla Bugzilla\u662f\u4e00\u6b3e\u57fa\u4e8eWeb\u7684BUG\u8ddf\u8e2a\u7cfb\u7edf\u3002\r\nMozilla Bugzilla\u663e\u793a"Depends On"\u6216"Blocks"\u5217\u8868\u4e2d\u7684\u53d7\u9650\u5236bugs\u7684\u522b\u540d\u65f6\u5b58\u5728\u9519\u8bef\uff0c\u53ef\u5bfc\u81f4\u6cc4\u6f0f\u654f\u611f\u4fe1\u606f\u3002\r\n\u5f53\u67d0\u4e2abug\u5c5e\u4e8e\u67d0\u4e2a\u7ec4\u65f6\uff0c\u672c\u6765\u5b83\u6240\u6709\u4fe1\u606f\u5bf9\u6b64\u7ec4\u4e4b\u5916\u7684\u7528\u6237\u662f\u4e0d\u53ef\u89c1\u7684\u3002\u4f46\u662f\u5b58\u5728\u6f0f\u6d1e\u53ef\u663e\u793a(\u975e\u5e38\u77ed\u7684\u5b57\u7b26\u4e32\u4f5c\u4e3a\u5feb\u6377\u65b9\u5f0f\u7528\u4e8e\u67e5\u8be2bug)"Depends On"\u6216"Blocks"\u5217\u8868\u4e2d\u7684\u53d7\u9650\u5236bugs\u7684\u522b\u540d\u7ed9\u6b64\u7ec4\u4ee5\u5916\u7684\u5176\u4ed6\u7528\u6237\uff0c\u5bfc\u81f4\u654f\u611f\u4fe1\u606f\u3002\n\nMozilla Bugzilla 3.5.1 \r\nMozilla Bugzilla 3.4.3 \r\nMozilla Bugzilla 3.4.2 \r\nMozilla Bugzilla 3.4.1 \r\nMozilla Bugzilla 3.3.4 \r\nMozilla Bugzilla 3.3.3 \r\nMozilla Bugzilla 3.3.3 \r\nMozilla Bugzilla 3.3.2 \r\nMozilla Bugzilla 3.5\r\nMozilla Bugzilla 3.4 rc1\r\nMozilla Bugzilla 3.4\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u5347\u7ea7\u5230\u5982\u4e0b\u7248\u672c\uff1a\r\nMozilla Bugzilla 3.4 rc1\r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.5\r\nMozilla bugzilla-3.5.2.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.5.2.tar.gz\r\nMozilla Bugzilla 3.4\r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.3.2 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.3.3 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.3.3 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.3.4 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.4.1 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.4.2 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.4.3 \r\nMozilla bugzilla-3.4.4.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.4.4.tar.gz\r\nMozilla Bugzilla 3.5.1 \r\nMozilla bugzilla-3.5.2.tar.gz\r\nhttp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.5.2.tar.gz", "published": "2009-11-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.seebug.org/vuldb/ssvid-12668", "cvelist": ["CVE-2009-3386"], "lastseen": "2017-11-19T18:29:37"}]}}
