SB2015020102 - Command Injection in Mozilla Bugzilla
Published: February 1, 2015 Updated: August 9, 2020
Security Bulletin ID
SB2015020102
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Command Injection (CVE-ID: CVE-2014-8630)
The vulnerability allows a remote #AU# to read and manipulate data.
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.
Remediation
Install update from vendor's website.
References
- http://advisories.mageia.org/MGASA-2015-0048.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149921.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149925.html
- http://www.bugzilla.org/security/4.0.15/
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:030
- https://bugzilla.mozilla.org/show_bug.cgi?id=1079065
- https://security.gentoo.org/glsa/201607-11