Bugzilla XML Format Deadline Field Disclosure

2006-10-15T06:33:59
ID OSVDB:29547
Type osvdb
Reporter Josh "timeless" Soref(), Frédéric Buclin()
Modified 2006-10-15T06:33:59

Description

Vulnerability Description

Bugzilla contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when viewing a bug in XML format, which will disclose the deadline even to those not part of the "timetrackinggroup" resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.18.6, 2.20.3, 2.22.1, or 2.23.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Bugzilla contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when viewing a bug in XML format, which will disclose the deadline even to those not part of the "timetrackinggroup" resulting in a loss of confidentiality.

References:

Vendor Specific News/Changelog Entry: https://bugzilla.mozilla.org/show_bug.cgi?id=346564 Vendor Specific Advisory URL Secunia Advisory ID:22409 Secunia Advisory ID:22790 Related OSVDB ID: 29545 Related OSVDB ID: 29546 Related OSVDB ID: 29548 Related OSVDB ID: 29549 Related OSVDB ID: 29544 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0242.html CVE-2006-5454