CVE-2014-8630

EPSS 0.63%
Published 01.02.2015 15:59:04
Last modified 12.04.2025 10:46:40
Source security@mozilla.org
Teams watchlist Login
Open Login

Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.

Affected products Warnungen 0 Metrics 2 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Mozilla ≫ Bugzilla Version <= 4.0.16

Mozilla ≫ Bugzilla Version4.1

Mozilla ≫ Bugzilla Version4.1.1

Mozilla ≫ Bugzilla Version4.1.2

Mozilla ≫ Bugzilla Version4.1.3

Mozilla ≫ Bugzilla Version4.2

Mozilla ≫ Bugzilla Version4.2 Updaterc1

Mozilla ≫ Bugzilla Version4.2 Updaterc2

Mozilla ≫ Bugzilla Version4.2.1

Mozilla ≫ Bugzilla Version4.2.2

Mozilla ≫ Bugzilla Version4.2.3

Mozilla ≫ Bugzilla Version4.2.4

Mozilla ≫ Bugzilla Version4.2.5

Mozilla ≫ Bugzilla Version4.2.6

Mozilla ≫ Bugzilla Version4.2.7

Mozilla ≫ Bugzilla Version4.2.8

Mozilla ≫ Bugzilla Version4.2.9

Mozilla ≫ Bugzilla Version4.2.10

Mozilla ≫ Bugzilla Version4.2.11

Mozilla ≫ Bugzilla Version4.3

Mozilla ≫ Bugzilla Version4.3.1

Mozilla ≫ Bugzilla Version4.3.2

Mozilla ≫ Bugzilla Version4.3.3

Mozilla ≫ Bugzilla Version4.4

Mozilla ≫ Bugzilla Version4.4 Updaterc1

Mozilla ≫ Bugzilla Version4.4 Updaterc2

Mozilla ≫ Bugzilla Version4.4.1

Mozilla ≫ Bugzilla Version4.4.2

Mozilla ≫ Bugzilla Version4.4.3

Mozilla ≫ Bugzilla Version4.4.4

Mozilla ≫ Bugzilla Version4.4.5

Mozilla ≫ Bugzilla Version4.4.6

Mozilla ≫ Bugzilla Version4.5

Mozilla ≫ Bugzilla Version4.5.1

Mozilla ≫ Bugzilla Version4.5.2

Mozilla ≫ Bugzilla Version4.5.3

Mozilla ≫ Bugzilla Version4.5.4

Mozilla ≫ Bugzilla Version4.5.5

Mozilla ≫ Bugzilla Version4.5.6

Fedoraproject ≫ Fedora Version20

Fedoraproject ≫ Fedora Version21

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.63%	0.696

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://security.gentoo.org/glsa/201607-11

http://advisories.mageia.org/MGASA-2015-0048.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149921.html

Third Party Advisory

http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149925.html

Third Party Advisory

http://www.bugzilla.org/security/4.0.15/

Patch

Vendor Advisory

Issue Tracking

http://www.mandriva.com/security/advisories?name=MDVSA-2015:030

https://bugzilla.mozilla.org/show_bug.cgi?id=1079065