CVE-2010-3172 — Code Injection in Mozilla Bugzilla

CWE-94 — Code Injection9 documents5 sources

Severity

2.6LOWNVD

EPSS

0.7%

top 27.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Bugzilla

Timeline

PublishedNov 5

Latest updateMay 17

Description

CRLF injection vulnerability in Bugzilla before 3.2.9, 3.4.x before 3.4.9, 3.6.x before 3.6.3, and 4.0.x before 4.0rc1, when Server Push is enabled in a web browser, allows remote attackers to inject arbitrary HTTP headers and content, and conduct HTTP response splitting attacks, via a crafted URL.

CVSS vector

AV:N/AC:H/C:N/I:P/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages1 packages

▶NVDmozilla/bugzilla3.2.8+94

🔴Vulnerability Details

GHSA

GHSA-rqgr-h8g8-4p6w: CRLF injection vulnerability in Bugzilla before 3↗2022-05-17

▶

CVEList

CVE-2010-3172: CRLF injection vulnerability in Bugzilla before 3↗2010-11-05

▶

📋Vendor Advisories

Red Hat

perl-CGI-Simple: - hardcoded MIME boundary value for multipart content, CVE-2010-4410 - CRLF injection allowing HTTP response splitting↗2010-11-10

▶

Red Hat

perl-CGI-Simple: - hardcoded MIME boundary value for multipart content, CVE-2010-4410 - CRLF injection allowing HTTP response splitting↗2010-11-10

▶

💬Community

Bugzilla

CVE-2010-3172 bugzilla: header and content injection vulnerability via Server Push↗2010-11-03

▶

Bugzilla

CVE-2010-3172 CVE-2010-3764 bugzilla various flaws [fedora-all]↗2010-11-03

▶