Lucene search

K
nessusTenable5627.PRM
HistoryAug 13, 2010 - 12:00 a.m.

Bugzilla < 3.2.8 / 3.4.8 / 3.6.2 / 3.7.3 Multiple Vulnerabilities

2010-08-1300:00:00
Tenable
www.tenable.com
16

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS

0.02

Percentile

89.2%

The remote web server is hosting Bugzilla, a web-based bug tracking application.

Versions of Bugzilla 3.2.x earlier than 3.2.8, 3.4.x earlier than 3.4.8, 3.6.x earlier than 3.6.2, and 3.7.x earlier than 3.7.3 are potentially affected by multiple vulnerabilities :

  • It is possible to (at least partially) determine the membership of any group using the Search interface. (CVE-2010-2756).

  • It is possible to use the ‘sudo’ feature without sending a notification to the user being impersonated. (CVE-2010-2757)

  • The ‘Reports’ and ‘Duplicates’ pages let you guess the name of products you can’t see, due to the error message that is thrown. (CVE-2010-2758)

  • For installations using PostgreSQL, specifying “bug X” or “Attachment X” in a comment can deny access to the bug if X is larger than the maximum 32-bit signed integer size. (CVE-2010-2759)

Binary data 5627.prm

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS

0.02

Percentile

89.2%