FKIE_CVE-2011-2979

Vulnerability from fkie_nvd - Published: 2011-08-09 19:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
Bugzilla 4.1.x before 4.1.3 generates different responses for certain assignee queries depending on whether the group name is valid, which allows remote attackers to determine the existence of private group names via a custom search. NOTE: this vulnerability exists because of a CVE-2010-2756 regression.
References
cve@mitre.orghttp://secunia.com/advisories/45501Vendor Advisory
cve@mitre.orghttp://www.bugzilla.org/security/3.4.11/Vendor Advisory
cve@mitre.orghttp://www.debian.org/security/2011/dsa-2322
cve@mitre.orghttp://www.osvdb.org/74298
cve@mitre.orghttp://www.osvdb.org/74299
cve@mitre.orghttp://www.securityfocus.com/bid/49042
cve@mitre.orghttps://bugzilla.mozilla.org/show_bug.cgi?id=674497Exploit, Patch
cve@mitre.orghttps://exchange.xforce.ibmcloud.com/vulnerabilities/69166
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/45501Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.bugzilla.org/security/3.4.11/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2011/dsa-2322
af854a3a-2127-422b-91ae-364da2661108http://www.osvdb.org/74298
af854a3a-2127-422b-91ae-364da2661108http://www.osvdb.org/74299
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/49042
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.mozilla.org/show_bug.cgi?id=674497Exploit, Patch
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/69166
Impacted products
Vendor Product Version
mozilla bugzilla 4.1
mozilla bugzilla 4.1.1
mozilla bugzilla 4.1.2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:bugzilla:4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "85CDC579-6967-4E5C-B716-B2BC04F6DBF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:bugzilla:4.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "27783033-F558-427C-89A7-C3638C57F2A0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:bugzilla:4.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E91557C7-8C53-49C4-8BC5-7F86D4AA09B8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Bugzilla 4.1.x before 4.1.3 generates different responses for certain assignee queries depending on whether the group name is valid, which allows remote attackers to determine the existence of private group names via a custom search.  NOTE: this vulnerability exists because of a CVE-2010-2756 regression."
    },
    {
      "lang": "es",
      "value": "Bugzilla 4.1.x anteriores a 4.1.3 genera respuestas distintas a peticiones determinadas sobre la persona asignada (\"assignee\") dependiendo de si el nombre del grupo es v\u00e1lido, lo que permite a atacantes remotos determinar la existencia de nombres de grupos privados a trav\u00e9s de una b\u00fasqueda. NOTE: esta vulnerabilidad existe debido a una regresi\u00f3n de CVE-2010-2756."
    }
  ],
  "id": "CVE-2011-2979",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2011-08-09T19:55:01.683",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/45501"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.bugzilla.org/security/3.4.11/"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.debian.org/security/2011/dsa-2322"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.osvdb.org/74298"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.osvdb.org/74299"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/49042"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=674497"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69166"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/45501"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.bugzilla.org/security/3.4.11/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2011/dsa-2322"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/74298"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/74299"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/49042"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=674497"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69166"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.