{"id": "DEBIAN_DSA-173.NASL", "bulletinFamily": "scanner", "title": "Debian DSA-173-1 : bugzilla - privilege escalation", "description": "The developers of Bugzilla, a web-based bug tracking system,\ndiscovered a problem in the handling of more than 47 groups. When a\nnew product is added to an installation with 47 groups or more and\n'usebuggroups' is enabled, the new group will be assigned a groupset\nbit using Perl math that is not exact beyond 248. This results in the\nnew group being defined with a 'bit' that has several bits set. As\nusers are given access to the new group, those users will also gain\naccess to spurious lower group privileges. Also, group bits were not\nalways reused when groups were deleted.", "published": "2004-09-29T00:00:00", "modified": "2004-09-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/15010", "reporter": "This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.", "references": ["http://www.debian.org/security/2002/dsa-173"], "cvelist": ["CVE-2002-1196"], "type": "nessus", "lastseen": "2021-01-06T09:45:18", "edition": 25, "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-1196"]}, {"type": "osvdb", "idList": ["OSVDB:6355"]}, {"type": "openvas", "idList": ["OPENVAS:53428"]}, {"type": "nessus", "idList": ["BUGZILLA_VULNS.NASL"]}], "modified": "2021-01-06T09:45:18", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-01-06T09:45:18", "rev": 2}, "vulnersScore": 6.5}, "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-173. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15010);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2002-1196\");\n script_xref(name:\"DSA\", value:\"173\");\n\n script_name(english:\"Debian DSA-173-1 : bugzilla - privilege escalation\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The developers of Bugzilla, a web-based bug tracking system,\ndiscovered a problem in the handling of more than 47 groups. When a\nnew product is added to an installation with 47 groups or more and\n'usebuggroups' is enabled, the new group will be assigned a groupset\nbit using Perl math that is not exact beyond 248. This results in the\nnew group being defined with a 'bit' that has several bits set. As\nusers are given access to the new group, those users will also gain\naccess to spurious lower group privileges. Also, group bits were not\nalways reused when groups were deleted.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2002/dsa-173\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the bugzilla package.\n\nThis problem has been fixed in version 2.14.2-0woody2 for the current\nstable distribution (woody) and will soon be fixed in the unstable\ndistribution (sid). The old stable distribution (potato) doesn't\ncontain a bugzilla package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bugzilla\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"bugzilla\", reference:\"2.14.2-0woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"bugzilla-doc\", reference:\"2.14.2-0woody2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Debian Local Security Checks", "pluginID": "15010", "cpe": ["cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:bugzilla"], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:37:00", "description": "editproducts.cgi in Bugzilla 2.14.x before 2.14.4, and 2.16.x before 2.16.1, when the \"usebuggroups\" feature is enabled and more than 47 groups are specified, does not properly calculate bit values for large numbers, which grants extra permissions to users via known features of Perl math that set multiple bits.", "edition": 3, "cvss3": {}, "published": "2002-10-28T05:00:00", "title": "CVE-2002-1196", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-1196"], "modified": "2016-10-18T02:24:00", "cpe": ["cpe:/a:mozilla:bugzilla:2.16", "cpe:/a:mozilla:bugzilla:2.14.1", "cpe:/a:mozilla:bugzilla:2.14.2", "cpe:/a:mozilla:bugzilla:2.14.3", "cpe:/a:mozilla:bugzilla:2.14"], "id": "CVE-2002-1196", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1196", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:mozilla:bugzilla:2.14.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:bugzilla:2.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:bugzilla:2.14.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:bugzilla:2.14:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:bugzilla:2.16:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:01", "bulletinFamily": "software", "cvelist": ["CVE-2002-1196"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://bugzilla.mozilla.org/show_bug.cgi?id=167485)\n[Vendor Specific Advisory URL](http://www.bugzilla.org/security/2.16/)\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103349804226566&w=2\nISS X-Force ID: 10233\n[CVE-2002-1196](https://vulners.com/cve/CVE-2002-1196)\nBugtraq ID: 5843\n", "modified": "2002-10-01T00:00:00", "published": "2002-10-01T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:6355", "id": "OSVDB:6355", "type": "osvdb", "title": "Bugzilla editproducts.cgi usebuggroups Privilege Escalation", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1196"], "description": "The remote host is missing an update to bugzilla\nannounced via advisory DSA 173-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53428", "href": "http://plugins.openvas.org/nasl.php?oid=53428", "type": "openvas", "title": "Debian Security Advisory DSA 173-1 (bugzilla)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_173_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 173-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The developers of Bugzilla, a web-based bug tracking system,\ndiscovered a problem in the handling of more than 47 groups. When a\nnew product is added to an installation with 47 groups or more and\nusebuggroups is enabled, the new group will be assigned a groupset\nbit using Perl math that is not exact beyond 2^48. This results in\nthe new group being defined with a bit that has several bits set.\nAs users are given access to the new group, those users will also gain\naccess to spurious lower group privileges. Also, group bits were not\nalways reused when groups were deleted.\n\nThis problem has been fixed in version 2.14.2-0woody2 for the current\nstable distribution (woody) and will soon be fixed in the unstable\ndistribution (sid). The old stable distribution (potato) doesn't\ncontain a bugzilla package.\n\nWe recommend that you upgrade your bugzilla package.\";\ntag_summary = \"The remote host is missing an update to bugzilla\nannounced via advisory DSA 173-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20173-1\";\n\nif(description)\n{\n script_id(53428);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:24:46 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2002-1196\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 173-1 (bugzilla)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"bugzilla-doc\", ver:\"2.14.2-0woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bugzilla\", ver:\"2.14.2-0woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-01T01:22:01", "description": "According to its version number, the remote Bugzilla bug tracking\nsystem is vulnerable to various flaws, including SQL injection,\ncross-site scripting, and arbitrary command execution.", "edition": 24, "published": "2003-03-24T00:00:00", "title": "Bugzilla < 2.14.2 / 2.16rc2 / 2.17 Multiple Vulnerabilities (SQLi, XSS, ID, Cmd Exe)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1198", "CVE-2002-0804", "CVE-2002-0807", "CVE-2003-0013", "CVE-2002-0809", "CVE-2002-0805", "CVE-2002-1196", "CVE-2003-0012", "CVE-2002-0808", "CVE-2002-1197", "CVE-2002-0806", "CVE-2002-2260", "CVE-2002-0811", "CVE-2002-0810", "CVE-2002-0803"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:mozilla:bugzilla"], "id": "BUGZILLA_VULNS.NASL", "href": "https://www.tenable.com/plugins/nessus/11463", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(11463);\n script_version(\"1.28\");\n script_cvs_date(\"Date: 2018/11/15 20:50:16\");\n\n if ( NASL_LEVEL >= 3004 )\n {\n script_cve_id(\n \"CVE-2002-0803\",\n \"CVE-2002-0804\",\n \"CVE-2002-0805\",\n \"CVE-2002-0806\",\n \"CVE-2002-0807\",\n \"CVE-2002-0808\",\n \"CVE-2002-0809\",\n \"CVE-2002-0810\",\n \"CVE-2002-0811\",\n \"CVE-2002-1196\",\n \"CVE-2002-1197\",\n \"CVE-2002-1198\",\n \"CVE-2002-2260\",\n \"CVE-2003-0012\",\n \"CVE-2003-0013\"\n );\n }\n script_bugtraq_id(4964, 5842, 5843, 5844, 6257, 6501, 6502);\n\n script_name(english:\"Bugzilla < 2.14.2 / 2.16rc2 / 2.17 Multiple Vulnerabilities (SQLi, XSS, ID, Cmd Exe)\");\n script_summary(english:\"Checks the Bugzilla version number\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote bug tracker has multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version number, the remote Bugzilla bug tracking\nsystem is vulnerable to various flaws, including SQL injection,\ncross-site scripting, and arbitrary command execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.bugzilla.org/security/2.14.2/\");\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.bugzilla.org/security/2.16/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.bugzilla.org/security/2.16.1/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.bugzilla.org/security/2.16.1-nr/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Bugzilla version 2.14.5 / 2.16.rc2 / 2.17.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/03/24\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:bugzilla\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"bugzilla_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"installed_sw/Bugzilla\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = 'Bugzilla';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\n\n# Check the installed version.\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\nversion = install['version'];\ndir = install['path'];\nurl = build_url(port:port, qs:dir+'/query.cgi');\n\nif(ereg(pattern:\"^(1\\..*)|(2\\.(0\\..*|1[0-3]\\..*|14\\.[0-4]|15\\..*|16\\.([0-1]|rc1)|17\\.[0-2]))[^0-9]*$\",\n string:version))\n{\n set_kb_item('www/'+port+'/XSS', TRUE);\n set_kb_item('www/'+port+'/SQLInjection', TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n Version : ' + version +\n '\\n URL : ' + url;\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}