[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Re: CVE request: Bugzilla (Unauthorized Bug Change, XSS, Account Impersonation)
From: Hanno =?utf-8?q?B=C3=B6ck?= <hanno () hboeck ! de>
Date: 2008-05-13 11:07:11
Message-ID: 200805131307.11637.hanno () hboeck ! de
[Download RAW message or body]
Am Mittwoch 07 Mai 2008 schrieb Steven M. Christey:
> ======================================================
> Name: CVE-2008-2104
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2104
> Reference: CONFIRM:http://www.bugzilla.org/security/2.20.5/
> Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=415471
> Reference: BID:29038
> Reference: URL:http://www.securityfocus.com/bid/29038
> Reference: FRSIRT:ADV-2008-1428
> Reference:
> URL:http://www.frsirt.com/english/advisories/2008/1428/references
> Reference: SECTRACK:1019968
> Reference: URL:http://www.securitytracker.com/id?1019968
> Reference: SECUNIA:30064
> Reference: URL:http://secunia.com/advisories/30064
> Reference: XF:bugzilla-xmlrpc-security-bypass(42218)
> Reference: URL:http://xforce.iss.net/xforce/xfdb/42218
>
> The WebService in Bugzilla before 3.1.3 allows remote authenticated
> users without canconfirm privileges to create NEW or ASSIGNED bug
> entries via a request to the XML-RPC interface, which bypasses the
> canconfirm check.
I think this should be "3.1.3 and before" ?
As 3.1.3 is also affected according to the upstream advisory.
--
Hanno Böck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail: hanno@hboeck.de
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic