Info

Disclosure

Oct 15, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Bugzilla contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when viewing a bug in XML format, which will disclose the deadline even to those not part of the "timetrackinggroup" resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Unknown
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 2.18.6, 2.20.3, 2.22.1, or 2.23.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Mozilla Organization	Bugzilla	2.18.5
		2.20.2
		2.22
		2.23.2

References

CVE ID: 2006-5454 (see also: NVD)
Secunia Advisory ID: 22409 22790
Related OSVDB ID: 29544 29545 29546 29548 29549
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0242.html
Vendor Specific Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200611-04.xml
Vendor Specific News/Changelog Entry: https://bugzilla.mozilla.org/show_bug.cgi?id=346564

Credit

Frédéric Buclin -
Josh "timeless" Soref -

Direct URL: http://osvdb.org/29547

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Mozilla Organization

Bugzilla

References

Credit