Lucene search
HistorySep 14, 2015 - 1:59 a.m.
CVE-2015-4499
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
6.7
Confidence
Low
EPSS
0.024
Percentile
90.1%
Util.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.15, 4.3.x and 4.4.x before 4.4.10, and 5.x before 5.0.1 mishandles long e-mail addresses during account registration, which allows remote attackers to obtain the default privileges for an arbitrary domain name by placing that name in a substring of an address, as demonstrated by truncation of an @mozilla.com.example.com address to an @mozilla.com address.
Affected configurations
Node
mozillabugzillaMatch2.0
ORmozillabugzillaMatch2.2
ORmozillabugzillaMatch2.4
ORmozillabugzillaMatch2.6
ORmozillabugzillaMatch2.8
ORmozillabugzillaMatch2.10
ORmozillabugzillaMatch2.12
ORmozillabugzillaMatch2.14
ORmozillabugzillaMatch2.14.1
ORmozillabugzillaMatch2.14.2
ORmozillabugzillaMatch2.14.3
ORmozillabugzillaMatch2.14.4
ORmozillabugzillaMatch2.14.5
ORmozillabugzillaMatch2.16
ORmozillabugzillaMatch2.16rc1
ORmozillabugzillaMatch2.16rc2
ORmozillabugzillaMatch2.16.1
ORmozillabugzillaMatch2.16.2
ORmozillabugzillaMatch2.16.3
ORmozillabugzillaMatch2.16.4
ORmozillabugzillaMatch2.16.5
ORmozillabugzillaMatch2.16.6
ORmozillabugzillaMatch2.16.7
ORmozillabugzillaMatch2.16.8
ORmozillabugzillaMatch2.16.9
ORmozillabugzillaMatch2.16.10
ORmozillabugzillaMatch2.16.11
ORmozillabugzillaMatch2.17
ORmozillabugzillaMatch2.17.1
ORmozillabugzillaMatch2.17.2
ORmozillabugzillaMatch2.17.3
ORmozillabugzillaMatch2.17.4
ORmozillabugzillaMatch2.17.5
ORmozillabugzillaMatch2.17.6
ORmozillabugzillaMatch2.17.7
ORmozillabugzillaMatch2.18
ORmozillabugzillaMatch2.18rc1
ORmozillabugzillaMatch2.18rc2
ORmozillabugzillaMatch2.18rc3
ORmozillabugzillaMatch2.18.1
ORmozillabugzillaMatch2.18.2
ORmozillabugzillaMatch2.18.3
ORmozillabugzillaMatch2.18.4
ORmozillabugzillaMatch2.18.5
ORmozillabugzillaMatch2.18.6
ORmozillabugzillaMatch2.19
ORmozillabugzillaMatch2.19.1
ORmozillabugzillaMatch2.19.2
ORmozillabugzillaMatch2.19.3
ORmozillabugzillaMatch2.20
ORmozillabugzillaMatch2.20rc1
ORmozillabugzillaMatch2.20rc2
ORmozillabugzillaMatch2.20.1
ORmozillabugzillaMatch2.20.2
ORmozillabugzillaMatch2.20.3
ORmozillabugzillaMatch2.20.4
ORmozillabugzillaMatch2.20.5
ORmozillabugzillaMatch2.20.6
ORmozillabugzillaMatch2.20.7
ORmozillabugzillaMatch2.21
ORmozillabugzillaMatch2.21.1
ORmozillabugzillaMatch2.22
ORmozillabugzillaMatch2.22rc1
ORmozillabugzillaMatch2.22.1
ORmozillabugzillaMatch2.22.2
ORmozillabugzillaMatch2.22.3
ORmozillabugzillaMatch2.22.4
ORmozillabugzillaMatch2.22.5
ORmozillabugzillaMatch2.22.6
ORmozillabugzillaMatch2.22.7
ORmozillabugzillaMatch2.23
ORmozillabugzillaMatch2.23.1
ORmozillabugzillaMatch2.23.2
ORmozillabugzillaMatch2.23.3
ORmozillabugzillaMatch2.23.4
ORmozillabugzillaMatch3.0
ORmozillabugzillaMatch3.0rc1
ORmozillabugzillaMatch3.0.0
ORmozillabugzillaMatch3.0.1
ORmozillabugzillaMatch3.0.2
ORmozillabugzillaMatch3.0.3
ORmozillabugzillaMatch3.0.4
ORmozillabugzillaMatch3.0.5
ORmozillabugzillaMatch3.0.6
ORmozillabugzillaMatch3.0.7
ORmozillabugzillaMatch3.0.8
ORmozillabugzillaMatch3.0.9
ORmozillabugzillaMatch3.0.10
ORmozillabugzillaMatch3.0.11
ORmozillabugzillaMatch3.1.0
ORmozillabugzillaMatch3.1.1
ORmozillabugzillaMatch3.1.2
ORmozillabugzillaMatch3.1.3
ORmozillabugzillaMatch3.1.4
ORmozillabugzillaMatch3.2
ORmozillabugzillaMatch3.2rc1
ORmozillabugzillaMatch3.2rc2
ORmozillabugzillaMatch3.2.1
ORmozillabugzillaMatch3.2.2
ORmozillabugzillaMatch3.2.3
ORmozillabugzillaMatch3.2.4
ORmozillabugzillaMatch3.2.5
ORmozillabugzillaMatch3.2.6
ORmozillabugzillaMatch3.2.7
ORmozillabugzillaMatch3.2.8
ORmozillabugzillaMatch3.2.9
ORmozillabugzillaMatch3.2.10
ORmozillabugzillaMatch3.3
ORmozillabugzillaMatch3.3.1
ORmozillabugzillaMatch3.3.2
ORmozillabugzillaMatch3.3.3
ORmozillabugzillaMatch3.3.4
ORmozillabugzillaMatch3.4
ORmozillabugzillaMatch3.4rc1
ORmozillabugzillaMatch3.4.1
ORmozillabugzillaMatch3.4.2
ORmozillabugzillaMatch3.4.3
ORmozillabugzillaMatch3.4.4
ORmozillabugzillaMatch3.4.5
ORmozillabugzillaMatch3.4.6
ORmozillabugzillaMatch3.4.7
ORmozillabugzillaMatch3.4.8
ORmozillabugzillaMatch3.4.9
ORmozillabugzillaMatch3.4.10
ORmozillabugzillaMatch3.4.11
ORmozillabugzillaMatch3.4.12
ORmozillabugzillaMatch3.4.13
ORmozillabugzillaMatch3.5
ORmozillabugzillaMatch3.5.1
ORmozillabugzillaMatch3.5.2
ORmozillabugzillaMatch3.5.3
ORmozillabugzillaMatch3.6
ORmozillabugzillaMatch3.6rc1
ORmozillabugzillaMatch3.6.0
ORmozillabugzillaMatch3.6.1
ORmozillabugzillaMatch3.6.2
ORmozillabugzillaMatch3.6.3
ORmozillabugzillaMatch3.6.4
ORmozillabugzillaMatch3.6.5
ORmozillabugzillaMatch3.6.6
ORmozillabugzillaMatch3.6.7
ORmozillabugzillaMatch3.6.8
ORmozillabugzillaMatch3.6.9
ORmozillabugzillaMatch3.6.10
ORmozillabugzillaMatch3.6.11
ORmozillabugzillaMatch3.6.12
ORmozillabugzillaMatch3.6.13
ORmozillabugzillaMatch3.7
ORmozillabugzillaMatch3.7.1
ORmozillabugzillaMatch3.7.2
ORmozillabugzillaMatch3.7.3
ORmozillabugzillaMatch4.0
ORmozillabugzillaMatch4.0rc1
ORmozillabugzillaMatch4.0rc2
ORmozillabugzillaMatch4.0.1
ORmozillabugzillaMatch4.0.2
ORmozillabugzillaMatch4.0.3
ORmozillabugzillaMatch4.0.4
ORmozillabugzillaMatch4.0.5
ORmozillabugzillaMatch4.0.6
ORmozillabugzillaMatch4.0.7
ORmozillabugzillaMatch4.0.8
ORmozillabugzillaMatch4.0.9
ORmozillabugzillaMatch4.0.10
ORmozillabugzillaMatch4.0.11
ORmozillabugzillaMatch4.0.12
ORmozillabugzillaMatch4.0.13
ORmozillabugzillaMatch4.0.16
ORmozillabugzillaMatch4.1
ORmozillabugzillaMatch4.1.1
ORmozillabugzillaMatch4.1.2
ORmozillabugzillaMatch4.1.3
ORmozillabugzillaMatch4.2
ORmozillabugzillaMatch4.2rc1
ORmozillabugzillaMatch4.2rc2
ORmozillabugzillaMatch4.2.1
ORmozillabugzillaMatch4.2.2
ORmozillabugzillaMatch4.2.3
ORmozillabugzillaMatch4.2.4
ORmozillabugzillaMatch4.2.5
ORmozillabugzillaMatch4.2.6
ORmozillabugzillaMatch4.2.7
ORmozillabugzillaMatch4.2.8
ORmozillabugzillaMatch4.2.9
ORmozillabugzillaMatch4.2.11
ORmozillabugzillaMatch4.2.12
ORmozillabugzillaMatch4.2.13
ORmozillabugzillaMatch4.2.14
ORmozillabugzillaMatch4.3
ORmozillabugzillaMatch4.3.1
ORmozillabugzillaMatch4.3.2
ORmozillabugzillaMatch4.3.3
ORmozillabugzillaMatch4.4-
ORmozillabugzillaMatch4.4rc1
ORmozillabugzillaMatch4.4rc2
ORmozillabugzillaMatch4.4.1
ORmozillabugzillaMatch4.4.2
ORmozillabugzillaMatch4.4.3
ORmozillabugzillaMatch4.4.4
ORmozillabugzillaMatch4.4.5
ORmozillabugzillaMatch4.4.6
ORmozillabugzillaMatch4.4.7
ORmozillabugzillaMatch4.4.8
ORmozillabugzillaMatch4.4.9
ORmozillabugzillaMatch5.0
References
lists.fedoraproject.org/pipermail/package-announce/2015-October/168725.html
lists.fedoraproject.org/pipermail/package-announce/2015-October/169946.html
lists.fedoraproject.org/pipermail/package-announce/2015-October/169983.html
packetstormsecurity.com/files/133578/Bugzilla-Unauthorized-Account-Creation.html
seclists.org/bugtraq/2015/Sep/48
seclists.org/bugtraq/2015/Sep/49
www.securitytracker.com/id/1033542
bug1202447.bmoattachments.org/attachment.cgi?id=8657861
bugzilla.mozilla.org/show_bug.cgi?id=1202447
Related
checkpoint_advisories
checkpoint_advisories
Bugzilla Mail Authentication Mechanism Bypass (CVE-2015-4499)
2015-09-20 00:00:00
nessus
nessus
Fedora 23 : bugzilla-4.4.10-1.fc23 (2015-15769)
2015-10-06 00:00:00
FreeBSD : Bugzilla security issues (ea893f06-5a92-11e5-98c0-20cf30e32f6d)
2015-09-14 00:00:00
Fedora 22 : bugzilla-4.4.10-1.fc22 (2015-15767)
2015-10-29 00:00:00
openvas
openvas
Fedora Update for bugzilla FEDORA-2015-15767
2015-10-29 00:00:00
Fedora Update for bugzilla FEDORA-2015-15768
2015-10-29 00:00:00
Mageia: Security Advisory (MGASA-2016-0006)
2016-01-14 00:00:00
cvelist
cvelist
CVE-2015-4499
2015-09-14 01:00:00
securityvulns
securityvulns
Security advisory for Bugzilla 5.0, 4.4.9, and 4.2.14
2015-10-26 00:00:00
Security Advisory for Bugzilla 5.0.1, 4.4.10 and 4.2.15
2015-10-26 00:00:00
archlinux
archlinux
bugzilla: unauthorized account creation
2015-10-08 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: bugzilla-4.4.10-1.fc21
2015-10-28 16:22:39
[SECURITY] Fedora 22 Update: bugzilla-4.4.10-1.fc22
2015-10-28 16:30:43
[SECURITY] Fedora 23 Update: bugzilla-4.4.10-1.fc23
2015-10-05 18:22:34
cve
cve
CVE-2015-4499
2015-09-14 01:59:01
prion
prion
Design/Logic Flaw
2015-09-14 01:59:00
thn
thn
New Bug in Bugzilla Software Could Expose Zero-Day Vulnerabilities
2015-09-17 22:26:00
freebsd
freebsd
Bugzilla security issues
2015-09-10 00:00:00
threatpost
threatpost
Bugzilla Privilege Escalation Security Patch
2015-09-17 13:12:01
mageia
mageia
Updated bugzilla packages fix security vulnerability
2016-01-12 12:13:53
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
6.7
Confidence
Low
EPSS
0.024
Percentile
90.1%
Related for NVD:CVE-2015-4499