CVE-2014-8630

Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.

CVSS v2.0 6.5 MEDIUM

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.bugzilla.org/security/4.0.15/	Patch Issue Tracking Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1079065	Issue Tracking Vendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149921.html	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149925.html	Third Party Advisory
https://security.gentoo.org/glsa/201607-11
http://www.mandriva.com/security/advisories?name=MDVSA-2015:030
http://advisories.mageia.org/MGASA-2015-0048.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:bugzilla::::::::
	cpe:2.3:a:mozilla:bugzilla:4.2:rc2::::::
	cpe:2.3:a:mozilla:bugzilla:4.2.1:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.2.6:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.2.7:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.2.8:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.4:rc1::::::
	cpe:2.3:a:mozilla:bugzilla:4.4:rc2::::::
	cpe:2.3:a:mozilla:bugzilla:4.5:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.5.1:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.1.2:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.1.1:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.3.1:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.3.2:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.2:rc1::::::
	cpe:2.3:a:mozilla:bugzilla:4.2.5:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.4:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.4.6:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.1:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.2.4:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.4.5:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.2.11:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.2:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.5.6:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.2.10:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.5.5:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.3.3:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.2.2:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.4.4:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.2.3:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.4.3:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.1.3:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.5.4:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.3:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.2.9:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.4.1:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.5.3:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.5.2:::::::*
	cpe:2.3:a:mozilla:bugzilla:4.4.2:::::::*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:21:::::::*
	cpe:2.3:o:fedoraproject:fedora:20:::::::*

Information

Published : 2015-02-01 07:59

Updated : 2017-01-02 18:59

NVD link : CVE-2014-8630

Mitre link : CVE-2014-8630

JSON object : View

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Products Affected

mozilla

bugzilla

fedoraproject

fedora

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.bugzilla.org/security/4.0.15/", "name": "http://www.bugzilla.org/security/4.0.15/", "tags": ["Patch", "Issue Tracking", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1079065", "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1079065", "tags": ["Issue Tracking", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149921.html", "name": "FEDORA-2015-1713", "tags": ["Third Party Advisory"], "refsource": "FEDORA"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149925.html", "name": "FEDORA-2015-1699", "tags": ["Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://security.gentoo.org/glsa/201607-11", "name": "GLSA-201607-11", "tags": [], "refsource": "GENTOO"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:030", "name": "MDVSA-2015:030", "tags": [], "refsource": "MANDRIVA"}, {"url": "http://advisories.mageia.org/MGASA-2015-0048.html", "name": "http://advisories.mageia.org/MGASA-2015-0048.html", "tags": [], "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-77"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-8630", "ASSIGNER": "security@mozilla.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2015-02-01T15:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "4.0.16"}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2:rc2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.4:rc1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.4:rc2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.5.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.1.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.3.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.3.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2:rc1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.4.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.4.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2.11:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.5.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.5.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.3.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.4.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.4.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.1.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.5.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.2.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.5.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.5.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:4.4.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-01-03T02:59Z"}

6.5 /10