CVE-2010-2757
https://notcve.org/view.php?id=CVE-2010-2757
The sudo feature in Bugzilla 2.22rc1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 does not properly send impersonation notifications, which makes it easier for remote authenticated users to impersonate other users without discovery. La funcionalidad sudo de Bugzilla v2.22rc1 hasta la v3.2.7, v3.3.1 hasta la v3.4.7, v3.5.1 hasta la v3.6.1, y v3.7 hasta la v3.7.2 no envía apropiadamente notificaciones de suplantación, lo que facilita a usuarios remotos autenticados el suplantar a otros usuarios sin una exploración. • http://lists.fedoraproject.org/pipermail/package-announce/2010-August/046518.html http://lists.fedoraproject.org/pipermail/package-announce/2010-August/046534.html http://lists.fedoraproject.org/pipermail/package-announce/2010-August/046546.html http://secunia.com/advisories/40892 http://secunia.com/advisories/41128 http://www.bugzilla.org/security/3.2.7 http://www.securityfocus.com/bid/42275 http://www.vupen.com/english/advisories/2010/2035 http://www.vupen.com/english/advisories/2010/220 • CWE-310: Cryptographic Issues •
CVE-2010-1204
https://notcve.org/view.php?id=CVE-2010-1204
Search.pm in Bugzilla 2.17.1 through 3.2.6, 3.3.1 through 3.4.6, 3.5.1 through 3.6, and 3.7 allows remote attackers to obtain potentially sensitive time-tracking information via a crafted search URL, related to a "boolean chart search." Search.pm en Bugzilla v2.17.1 hasta v3.2.6, v3.3.1 hasta v3.4.6, v3.5.1 hasta v3.6, y v3.7 permite a atacante remotos obtener potencialmente información sensible del tiempo de seguimiento a través de una búsqueda de URL manipulada, relacionado con "boolean chart search." • http://secunia.com/advisories/40300 http://www.bugzilla.org/security/3.2.6 http://www.securityfocus.com/bid/41141 http://www.vupen.com/english/advisories/2010/1595 https://bugzilla.mozilla.org/show_bug.cgi?id=309952 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2010-2470
https://notcve.org/view.php?id=CVE-2010-2470
Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6.1 and 3.7 through 3.7.1, when use_suexec is enabled, uses world-readable permissions within (1) .bzr/ and (2) data/webdot/, which allows local users to obtain potentially sensitive data by reading files in these directories, a different vulnerability than CVE-2010-0180. Install/Filesystem.pm en Bugzilla v3.5.1 hasta v3.6.1 y v3.7 hasta v3.7.1, cuando está activado use_suexec, usa permisos world-readable dentro de (1) .bzr/ y (2) data/webdot/, lo que permite a usuarios locales, potencialmente obtener información sensible leyendo ficheros en esos directorios, es distinta a CVE-2010-0180. • https://bugzilla.mozilla.org/show_bug.cgi?id=561797 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2010-0180
https://notcve.org/view.php?id=CVE-2010-0180
Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6 and 3.7, when use_suexec is enabled, uses world-readable permissions for the localconfig files, which allows local users to read sensitive configuration fields, as demonstrated by the database password field and the site_wide_secret field. Install/Filesystem.pm en Bugzilla v3.5.1 hasta v3.6 y v3.7, cuando está activo use_suexec, usa permisos "world-readable" para los ficheros de configuración local, lo que permite a usuarios locales leer información sensible de los campos de configuración, como se demostró por el campo password de la base de datos y el campo site_wide_secret. • http://secunia.com/advisories/40300 http://www.bugzilla.org/security/3.2.6 http://www.securityfocus.com/bid/41144 http://www.vupen.com/english/advisories/2010/1595 https://bugzilla.mozilla.org/show_bug.cgi?id=561797 • CWE-264: Permissions, Privileges, and Access Controls •