CVE-2002-0008 - Vulnerability Details - OpenCVE

Bugzilla before 2.14.1 allows remote attackers to (1) spoof a user comment via an HTTP request to process_bug.cgi using the "who" parameter, instead of the Bugzilla_login cookie, or (2) post a bug as another user by modifying the reporter parameter to enter_bug.cgi, which is passed to post_bug.cgi.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mozilla	Bugzilla
Redhat	Powertools

Configuration 1 [-]

cpe:2.3:a:mozilla:bugzilla:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Powertools 7.0
	cpe:/a:redhat:powertools:7.0	RHSA-2002:001	2002-01-15T00:00:00Z
Red Hat Powertools 7.1
	cpe:/a:redhat:powertools:7.1	RHSA-2002:001	2002-01-15T00:00:00Z

References

Link	Providers
http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html
http://bugzilla.mozilla.org/show_bug.cgi?id=108385
http://bugzilla.mozilla.org/show_bug.cgi?id=108516
http://rhn.redhat.com/errata/RHSA-2002-001.html
http://www.bugzilla.org/security2_14_1.html
http://www.iss.net/security_center/static/7804.php
http://www.iss.net/security_center/static/7805.php
http://www.securityfocus.com/bid/3793
http://www.securityfocus.com/bid/3794
https://nvd.nist.gov/vuln/detail/CVE-2002-0008
https://www.cve.org/CVERecord?id=CVE-2002-0008

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2002-01-10T05:00:00

Updated: 2024-08-08T02:35:16.978Z

Reserved: 2002-01-09T00:00:00

Link: CVE-2002-0008

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2002-01-31T05:00:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2002-0008

Redhat

Severity :

Publid Date: 2002-01-05T00:00:00Z

Links: CVE-2002-0008 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2002-01-05T00:00:00", "descriptions": [{"lang": "en", "value": "Bugzilla before 2.14.1 allows remote attackers to (1) spoof a user comment via an HTTP request to process_bug.cgi using the \"who\" parameter, instead of the Bugzilla_login cookie, or (2) post a bug as another user by modifying the reporter parameter to enter_bug.cgi, which is passed to post_bug.cgi."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2005-07-03T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://bugzilla.mozilla.org/show_bug.cgi?id=108385"}, {"name": "bugzilla-processbug-comment-spoofing(7805)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "http://www.iss.net/security_center/static/7805.php"}, {"name": "3794", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/3794"}, {"name": "RHSA-2002:001", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2002-001.html"}, {"name": "20020105 Security Advisory for Bugzilla v2.15 (cvs20020103) and older", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html"}, {"name": "3793", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/3793"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.bugzilla.org/security2_14_1.html"}, {"tags": ["x_refsource_MISC"], "url": "http://bugzilla.mozilla.org/show_bug.cgi?id=108516"}, {"name": "bugzilla-postbug-report-spoofing(7804)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "http://www.iss.net/security_center/static/7804.php"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2002-0008", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Bugzilla before 2.14.1 allows remote attackers to (1) spoof a user comment via an HTTP request to process_bug.cgi using the \"who\" parameter, instead of the Bugzilla_login cookie, or (2) post a bug as another user by modifying the reporter parameter to enter_bug.cgi, which is passed to post_bug.cgi."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://bugzilla.mozilla.org/show_bug.cgi?id=108385", "refsource": "MISC", "url": "http://bugzilla.mozilla.org/show_bug.cgi?id=108385"}, {"name": "bugzilla-processbug-comment-spoofing(7805)", "refsource": "XF", "url": "http://www.iss.net/security_center/static/7805.php"}, {"name": "3794", "refsource": "BID", "url": "http://www.securityfocus.com/bid/3794"}, {"name": "RHSA-2002:001", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2002-001.html"}, {"name": "20020105 Security Advisory for Bugzilla v2.15 (cvs20020103) and older", "refsource": "BUGTRAQ", "url": "http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html"}, {"name": "3793", "refsource": "BID", "url": "http://www.securityfocus.com/bid/3793"}, {"name": "http://www.bugzilla.org/security2_14_1.html", "refsource": "CONFIRM", "url": "http://www.bugzilla.org/security2_14_1.html"}, {"name": "http://bugzilla.mozilla.org/show_bug.cgi?id=108516", "refsource": "MISC", "url": "http://bugzilla.mozilla.org/show_bug.cgi?id=108516"}, {"name": "bugzilla-postbug-report-spoofing(7804)", "refsource": "XF", "url": "http://www.iss.net/security_center/static/7804.php"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T02:35:16.978Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://bugzilla.mozilla.org/show_bug.cgi?id=108385"}, {"name": "bugzilla-processbug-comment-spoofing(7805)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "http://www.iss.net/security_center/static/7805.php"}, {"name": "3794", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/3794"}, {"name": "RHSA-2002:001", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2002-001.html"}, {"name": "20020105 Security Advisory for Bugzilla v2.15 (cvs20020103) and older", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html"}, {"name": "3793", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/3793"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.bugzilla.org/security2_14_1.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://bugzilla.mozilla.org/show_bug.cgi?id=108516"}, {"name": "bugzilla-postbug-report-spoofing(7804)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "http://www.iss.net/security_center/static/7804.php"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2002-0008", "datePublished": "2002-01-10T05:00:00", "dateReserved": "2002-01-09T00:00:00", "dateUpdated": "2024-08-08T02:35:16.978Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:bugzilla:*:*:*:*:*:*:*:*", "matchCriteriaId": "F99F6759-911F-4616-B27E-0EF33A08F2D3", "versionEndIncluding": "2.14.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Bugzilla before 2.14.1 allows remote attackers to (1) spoof a user comment via an HTTP request to process_bug.cgi using the \"who\" parameter, instead of the Bugzilla_login cookie, or (2) post a bug as another user by modifying the reporter parameter to enter_bug.cgi, which is passed to post_bug.cgi."}, {"lang": "es", "value": "Versiones anteriores a la 2.14.1 de Bugzilla permiten que un atacante remoto (1) falsee el comentario de un usuario por medio de una petici\u00f3n HTTP usando process_bug.cgi y el par\u00e1metro \"who\" en vez de una cokie de Bugzilla_login, o (2) env\u00ede un bug como otro usuario, modificando el par\u00e1metro de enter_bug.cgi, el cual se pasa a post_bug.cgi."}], "id": "CVE-2002-0008", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": true, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2002-01-31T05:00:00.000", "references": [{"source": "cve@mitre.org", "url": "http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://bugzilla.mozilla.org/show_bug.cgi?id=108385"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://bugzilla.mozilla.org/show_bug.cgi?id=108516"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2002-001.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.bugzilla.org/security2_14_1.html"}, {"source": "cve@mitre.org", "url": "http://www.iss.net/security_center/static/7804.php"}, {"source": "cve@mitre.org", "url": "http://www.iss.net/security_center/static/7805.php"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/3793"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/3794"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://bugzilla.mozilla.org/show_bug.cgi?id=108385"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://bugzilla.mozilla.org/show_bug.cgi?id=108516"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2002-001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.bugzilla.org/security2_14_1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.iss.net/security_center/static/7804.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.iss.net/security_center/static/7805.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/3793"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/3794"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}