CVE-2011-2979

Bugzilla 4.1.x before 4.1.3 generates different responses for certain assignee queries depending on whether the group name is valid, which allows remote attackers to determine the existence of private group names via a custom search. NOTE: this vulnerability exists because of a CVE-2010-2756 regression.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=674497	Exploit Patch
http://secunia.com/advisories/45501	Vendor Advisory
http://www.securityfocus.com/bid/49042
http://www.bugzilla.org/security/3.4.11/	Vendor Advisory
http://www.osvdb.org/74299
http://www.osvdb.org/74298
http://www.debian.org/security/2011/dsa-2322
https://exchange.xforce.ibmcloud.com/vulnerabilities/69166

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:bugzilla:4.1.1:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.1.2:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.1:::::::*

Information

Published : 2011-08-09 12:55

Updated : 2017-08-28 18:29

NVD link : CVE-2011-2979

Mitre link : CVE-2011-2979

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

mozilla

bugzilla

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=674497", "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=674497", "tags": ["Exploit", "Patch"], "refsource": "CONFIRM"}, {"url": "http://secunia.com/advisories/45501", "name": "45501", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.securityfocus.com/bid/49042", "name": "49042", "tags": [], "refsource": "BID"}, {"url": "http://www.bugzilla.org/security/3.4.11/", "name": "http://www.bugzilla.org/security/3.4.11/", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.osvdb.org/74299", "name": "74299", "tags": [], "refsource": "OSVDB"}, {"url": "http://www.osvdb.org/74298", "name": "74298", "tags": [], "refsource": "OSVDB"}, {"url": "http://www.debian.org/security/2011/dsa-2322", "name": "DSA-2322", "tags": [], "refsource": "DEBIAN"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69166", "name": "bugzilla-queries-info-disclosure(69166)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Bugzilla 4.1.x before 4.1.3 generates different responses for certain assignee queries depending on whether the group name is valid, which allows remote attackers to determine the existence of private group names via a custom search. NOTE: this vulnerability exists because of a CVE-2010-2756 regression."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2011-2979", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2011-08-09T19:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.1.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-08-29T01:29Z"}