Information Disclosure in Bugzilla Affects Multiple Versions
CVE-2012-4198

Currently unrated

Key Information:

Vendor: Mozilla
Status: Bugzilla
Vendor: CVE Published:; 16 November 2012

What is CVE-2012-4198?

A vulnerability in the User.get method of Bugzilla's WebService module could allow remote authenticated users to infer the existence of private group names. This occurs as the method's response varies based on group existence, which means that if a non-existent group is requested, the system may throw an error, while valid groups do not generate such feedback. This differential response can inadvertently expose sensitive details to users who should not have access to them.

References

http://www.mandriva.com/security/advisories?name=MDVSA-20...

vendor-advisoryx_refsource_MANDRIVA

https://bugzilla.mozilla.org/show_bug.cgi?id=781850

x_refsource_CONFIRM

http://www.bugzilla.org/security/3.6.11/

x_refsource_CONFIRM

Timeline

Vulnerability published
Nov 16, 2012
Vulnerability Reserved
Aug 8, 2012

Mozilla

What is CVE-2012-4198?

References

Timeline