Bugzilla showdependencygraph.cgi reveals full comments of restricted bugs

bugzilla-show-dependency-graph (7060) The risk level is classified as MediumMedium Risk

Description:

A vulnerability in the showdependencygraph.cgi script in Bugzilla could allow a remote attacker to view restricted bug comments. A remote attacker using the show_activity.cgi interface and the show_bug.cgi interface can find a restricted bug and view the full comments of the restricted bug by requesting the bug id through the showdependencygraph.cgi script. An attacker can use this vulnerability to obtain sensitive information.


Consequences:

Obtain Information

Remedy:

Upgrade to the latest version of Bugzilla (2.14 or later), as listed in Bugzilla Security Advisory dated August 30th, 2001. See References.

For Red Hat Powertools 7.0 and 7.1:
Upgrade to the latest version of Bugzilla (2.14-1 or later), as listed in Red Hat, Inc. RHSA-2001:107-07. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • BugTraq Mailing List, Wed Aug 29 2001 - 17:55:42 CDT: Security Advisory for Bugzilla v2.13 and older.
  • Bugzilla bug pages: Bug 39533 - showdependencygraph.cgi doesn't check viewing permissions.
  • Bugzilla Home page: Bugzilla Project Home Page.
  • Bugzilla Security Advisory Aug 30th, 2001: Users of Bugzilla are recommended to update to version 2.14.
  • BID-3270: BugZilla ShowDependencyGraph.CGI Restricted Bug Comments Revealing Vulnerability
  • CVE-2001-1401: Bugzilla before 2.14 does not properly restrict access to confidential bugs, which could allow Bugzilla users to bypass viewing permissions via modified bug id parameters in (1) process_bug.cgi, (2) show_activity.cgi, (3) showvotes.cgi, (4) showdependencytree.cgi, (5) showdependencygraph.cgi, (6) showattachment.cgi, or (7) describecomponents.cgi.
  • RHSA-2001-107: New bugzilla packages are available

Platforms Affected:

  • Mozilla Bugzilla 2.10
  • Mozilla Bugzilla 2.12
  • Mozilla Bugzilla 2.14
  • Mozilla Bugzilla 2.4
  • Mozilla Bugzilla 2.6
  • Mozilla Bugzilla 2.8
  • RedHat Linux 7
  • RedHat Linux 7.1
  • RedHat Linux 7.2
  • RedHat Linux 7.3
  • RedHat Linux Powertools 7.0
  • RedHat Linux Powertools 7.1

Reported:

Aug 29, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page