Command Injection in Mozilla Bugzilla

1) Command Injection

EUVDB-ID: #VU40919

Risk: Low

CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2014-8630

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote #AU# to read and manipulate data.

Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Bugzilla: 4.1 - 4.5.6

Fedora: 4.1 - 21

CPE2.3

• cpe:2.3:a:mozilla:bugzilla:4.1:*:*:*:*:*:*:*
• cpe:2.3:a:mozilla:bugzilla:4.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:mozilla:bugzilla:4.1.2:*:*:*:*:*:*:*
• cpe:2.3:o:fedoraproject:fedora:4.1:*:*:*:*:*:*:*
• cpe:2.3:o:fedoraproject:fedora:4.1.1:*:*:*:*:*:*:*
• cpe:2.3:o:fedoraproject:fedora:4.1.2:*:*:*:*:*:*:*

External links

http://advisories.mageia.org/MGASA-2015-0048.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149921.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149925.html
http://www.bugzilla.org/security/4.0.15/
http://www.mandriva.com/security/advisories?name=MDVSA-2015:030
http://bugzilla.mozilla.org/show_bug.cgi?id=1079065
http://security.gentoo.org/glsa/201607-11

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.