CVE-2012-0465 — Mozilla Bugzilla vulnerability

CWE-2643 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 52.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Bugzilla

Timeline

PublishedApr 27

Latest updateMay 4

Description

Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP header, which allows remote attackers to bypass the lockout policy via a series of authentication requests with (1) different IP address strings in this header or (2) a long string in this header.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDmozilla/bugzilla24 versions+23

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-fhx8-238h-cc4x: Bugzilla 3↗2022-05-04

▶

CVEList

CVE-2012-0465: Bugzilla 3↗2012-04-27

▶