Bugzilla shadow-sync Arbitrary Password Disclosure

2002-06-08T06:50:00
ID OSVDB:6399
Type osvdb
Reporter Dave Miller(justdave@syndicomm.com)
Modified 2002-06-08T06:50:00

Description

Vulnerability Description

Bugzilla contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when the system attempts to remove leftover shadow sync commands, which will disclose unencrypted email and password information resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.14.2 / 2.16rc2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Bugzilla contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when the system attempts to remove leftover shadow sync commands, which will disclose unencrypted email and password information resulting in a loss of confidentiality.

References:

Vendor URL: http://www.bugzilla.org/download.html Vendor Specific Solution URL: http://ftp.mozilla.org/pub/webtools/bugzilla-2.14.1-to-2.14.2.diff.gz Vendor Specific Solution URL: http://ftp.mozilla.org/pub/webtools/bugzilla-2.14-to-2.14.2.diff.gz Vendor Specific Advisory URL Mail List Post: http://www.securityfocus.com/archive/1/276031 ISS X-Force ID: 9306 CVE-2002-0810 Bugtraq ID: 4964