CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
84.5%
According to its banner, the version of Bugzilla installed on the remote host is affected by multiple vulnerabilities :
When the user logs in using LDAP, the username is not escaped when building the uid=$username filter which is used to query the LDAP directory. This could potentially lead to LDAP injection. Note that this affects versions 2.12 to 3.6.10, 3.7.1 to 4.0.7, 4.1.1 to 4.2.2, and 4.3.1 to 4.3.2. (CVE-2012-3981)
Extensions are not protected against directory browsing and users can access the source code of the templates which may contain sensitive data. Note that this affects versions 2.23.2 to 3.6.10, 3.7.1 to 4.0.7, 4.1.1 to 4.2.2, and 4.3.1 to 4.3.2. (CVE-2012-4747)
Note that Nessus has not tested for these issues but has instead relied only on the applicationβs self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(62074);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2012-3981", "CVE-2012-4747");
script_bugtraq_id(55349);
script_name(english:"Bugzilla < 3.6.11 / 4.0.8 / 4.2.3 / 4.3.3 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a CGI application that suffers from
multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its banner, the version of Bugzilla installed on the
remote host is affected by multiple vulnerabilities :
- When the user logs in using LDAP, the username is not
escaped when building the uid=$username filter which
is used to query the LDAP directory. This could
potentially lead to LDAP injection. Note that this
affects versions 2.12 to 3.6.10, 3.7.1 to 4.0.7,
4.1.1 to 4.2.2, and 4.3.1 to 4.3.2. (CVE-2012-3981)
- Extensions are not protected against directory
browsing and users can access the source code of the
templates which may contain sensitive data. Note that
this affects versions 2.23.2 to 3.6.10, 3.7.1 to 4.0.7,
4.1.1 to 4.2.2, and 4.3.1 to 4.3.2. (CVE-2012-4747)
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
script_set_attribute(attribute:"see_also", value:"http://www.bugzilla.org/security/3.6.10/");
script_set_attribute(attribute:"solution", value:
"Upgrade to Bugzilla 3.6.11/ 4.0.8 / 4.2.3 / 4.3.3 or later. Note that
a patch for CVE-2012-4747 may not have been ported to all branches of
Bugzilla. Please refer to the above referenced URL for available
patches and solutions.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-4747");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/30");
script_set_attribute(attribute:"patch_publication_date", value:"2012/08/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/13");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:bugzilla");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("bugzilla_detect.nasl");
script_require_keys("installed_sw/Bugzilla", "Settings/ParanoidReport");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
if (report_paranoia < 2) audit(AUDIT_PARANOID);
app = 'Bugzilla';
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80);
install = get_single_install(
app_name : app,
port : port,
exit_if_unknown_ver : TRUE
);
dir = install["path"];
version = install["version"];
install_loc = build_url(port:port, qs:dir + "/query.cgi");
ver = split(version, sep:".", keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
# Versions less than 3.6.11 / 4.0.8 / 4.2.3 / 4.3.3 are vulnerable
# Specific ranges were provided by bugzilla.org/security/3.6.10/
if (
# 2.12 to 3.6.10
(ver[0] == 2 && ver[1] > 11) ||
(ver[0] == 3 && ver[1] < 6) ||
(ver[0] == 3 && ver[1] == 6 && ver[2] < 11) ||
# 3.7.1 to 4.0.7
(ver[0] == 3 && ver[1] == 7 && ver[2] > 0) ||
(ver[0] == 3 && ver[1] > 7) ||
(ver[0] == 4 && ver[1] == 0 && ver[2] < 8) ||
# 4.1.1 to 4.2.2
(ver[0] == 4 && ver[1] == 1 && ver[2] > 0) ||
(ver[0] == 4 && ver[1] == 2 && ver[2] < 3) ||
# 4.3.1 to 4.3.2
(ver[0] == 4 && ver[1] == 3 && ver[2] > 0 && ver[2] < 3)
)
{
if (report_verbosity > 0)
{
report =
'\n URL : ' +install_loc+
'\n Installed version : ' +version+
'\n Fixed version : 3.6.11 / 4.0.8 / 4.2.3 / 4.3.3\n';
security_warning(port:port, extra:report);
}
else security_warning(port);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);