Vulnerability CVE-2005-3138 - CERT Civis.Net

Vulnerability Name:

CVE-2005-3138 (CCN-22490)

Assigned:

2005-10-03

Published:

2005-10-03

Updated:

2017-07-11

Summary:

Bugzilla 2.18rc1 through 2.18.3, 2.19 through 2.20rc2, and 2.21 allows remote attackers to obtain sensitive information such as the list of installed products via the config.cgi file, which is accessible even when the requirelogin parameter is set.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2005-3138

Source: BUGTRAQ
Type: UNKNOWN
20051001 Security Advisory for Bugzilla 2.18.3, 2.20rc2, and 2.21

Source: CCN
Type: SA17030
Bugzilla Two Information Disclosure Security Issues

Source: SECUNIA
Type: Patch, Vendor Advisory
17030

Source: CCN
Type: Bugzilla Web page
Bugzilla

Source: CCN
Type: Bugzilla Security Advisory, September 30, 2005
2.18.4, 2.20, and 2.21.1 Security Advisory

Source: CONFIRM
Type: Vendor Advisory
http://www.bugzilla.org/security/2.18.4/

Source: CCN
Type: OSVDB ID: 19811
Bugzilla config.cgi Unauthenticated Product Name Disclosure

Source: BID
Type: Patch
14995

Source: CCN
Type: BID-14995
Bugzilla config.cgi Information Disclosure Vulnerability

Source: CCN
Type: BID-14996
Bugzilla User-Matching Information Disclosure Vulnerability

Source: XF
Type: UNKNOWN
bugzilla-config-obtain-information(22490)

Source: XF
Type: UNKNOWN
bugzilla-config-obtain-information(22490)

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:bugzilla:2.18:rc1:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.18:rc2:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.18:rc3:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.18.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.18.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.18.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.19:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.19.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.19.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.19.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.20:rc1:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.20:rc2:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.21:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mozilla:bugzilla:2.19.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.19.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.21:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.18.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.18.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.18.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.18:rc1:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.18:rc2:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.18:rc3:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.19:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.19.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.20:rc1:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:2.20:rc2:*:*:*:*:*:*

Denotes that component is vulnerable