Insecure Error Handling in Bugzilla by Mozilla
CVE-2013-0786

Currently unrated

Key Information:

Vendor: Mozilla
Status: Bugzilla
Vendor: CVE Published:; 24 February 2013

What is CVE-2013-0786?

The vulnerability in Bugzilla arises from the Bugzilla::Search::build_subselect function, which generates inconsistent error messages for invalid product queries based on product existence. This inconsistency can be exploited by remote attackers to discern private product names when the application runs in debug mode, exposing sensitive information that could aid in further attacks or reconnaissance efforts.

References

http://www.mandriva.com/security/advisories?name=MDVSA-20...

vendor-advisoryx_refsource_MANDRIVA

https://bugzilla.mozilla.org/show_bug.cgi?id=824399

x_refsource_CONFIRM

http://www.bugzilla.org/security/3.6.12/

x_refsource_CONFIRM

Timeline

Vulnerability published
Feb 24, 2013
Vulnerability Reserved
Jan 2, 2013