[Bug 1185483] New: CVE-2014-8630 Bugzilla: Command Injection into product names and other attributes

https://bugzilla.redhat.com/show_bug.cgi?id=1185483 Bug ID: 1185483 Summary: CVE-2014-8630 Bugzilla: Command Injection into product names and other attributes Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: kseifried(a)redhat.com CC: bazanluis20(a)gmail.com, emmanuel(a)seyman.fr, itamar(a)ispbrasil.com.br, perl-devel(a)lists.fedoraproject.org, xavier(a)bachelot.org The Bugzilla project reports: Class: Command Injection Versions: All versions before 4.0.16, 4.1.1 to 4.2.11, 4.3.1 to 4.4.6, 4.5.1 to 4.5.6 Fixed In: 4.0.16, 4.2.12, 4.4.7, 5.0rc1 Description: Some code in Bugzilla does not properly utilize 3 arguments form for open() and it is possible for an account with editcomponents permissions to inject commands into product names and other attributes. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1079065 CVE Number: CVE-2014-8630 External references: http://www.bugzilla.org/security/4.0.15/ -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=wv1CAf1O1K&a=cc_unsubscribe