Vulnerability CVE-2009-1213 - CERT Civis.Net

Vulnerability Name:

CVE-2009-1213 (CCN-49524)

Assigned:

2009-03-30

Published:

2009-03-30

Updated:

2017-08-17

Summary:

Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 3.2 before 3.2.3, 3.3 before 3.3.4, and earlier versions allows remote attackers to hijack the authentication of arbitrary users for requests that use attachment editing.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2009-1213

Source: CCN
Type: SA34545
Bugzilla "attachment.cgi" Cross-Site Request Forgery Vulnerability

Source: SECUNIA
Type: Vendor Advisory
34545

Source: CCN
Type: SA34547
Bugzilla "attachment.cgi" Cross-Site Request Forgery Vulnerability

Source: SECUNIA
Type: Vendor Advisory
34547

Source: SECUNIA
Type: UNKNOWN
34624

Source: CCN
Type: Bugzilla Web site
3.2.2 and 3.3.3 Security Advisory

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.bugzilla.org/security/3.2.2/

Source: CCN
Type: GLSA-201006-19
Bugzilla: Multiple vulnerabilities

Source: CCN
Type: OSVDB ID: 53069
Bugzilla attachment.cgi Attachment Editing Authentication Bypass CSRF

Source: BID
Type: UNKNOWN
34308

Source: CCN
Type: BID-34308
Bugzilla 'attachment.cgi' Cross Site Request Forgery Vulnerability

Source: VUPEN
Type: Patch, Vendor Advisory
ADV-2009-0887

Source: CONFIRM
Type: Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=476603

Source: XF
Type: UNKNOWN
bugzilla-attachment-csrf(49524)

Source: XF
Type: UNKNOWN
bugzilla-attachment-csrf(49524)

Source: FEDORA
Type: UNKNOWN
FEDORA-2009-3405

Source: FEDORA
Type: UNKNOWN
FEDORA-2009-3410

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:bugzilla:3.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.2:rc1:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.2:rc2:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.2.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.2.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.3.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.3.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.3.3:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mozilla:bugzilla:3.3.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.3.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.2.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.3.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.2.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.2:rc1:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.2:rc2:*:*:*:*:*:*

OR cpe:/a:mozilla:bugzilla:3.3:*:*:*:*:*:*:*

AND

cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

Denotes that component is vulnerable