CVE-2009-3989 — Mozilla Bugzilla vulnerability

CWE-2645 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.7%

top 29.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Bugzilla

Timeline

PublishedFeb 3

Latest updateMay 2

Description

Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and 3.5.x before 3.5.3 does not block access to files and directories that are used by custom installations, which allows remote attackers to obtain sensitive information via requests for (1) CVS/, (2) contrib/, (3) docs/en/xml/, (4) t/, or (5) old-params.txt.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDmozilla/bugzilla3.0.10+76

Patches

Patch: www.vupen.com ↗Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-gvr3-v3rm-vjm4: Bugzilla before 3↗2022-05-02

▶

CVEList

CVE-2009-3989: Bugzilla before 3↗2010-02-03

▶

📋Vendor Advisories

Red Hat

bugzilla: Sensitive information disclosure via various attack vectors↗2005-11-02

▶

💬Community

Bugzilla

CVE-2009-3387 CVE-2009-3989 bugzilla: Sensitive information disclosure via various attack vectors↗2010-02-04

▶