Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 405477 (CVE-2012-0453) - <www-apps/bugzilla-4.0.5 : Cross-Site Request Forgery Vulnerability (CVE-2012-0453)
Summary: <www-apps/bugzilla-4.0.5 : Cross-Site Request Forgery Vulnerability (CVE-2012...
Alias: CVE-2012-0453
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2012-02-23 20:03 UTC by Agostino Sarubbo
Modified: 2012-02-29 13:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-02-23 20:03:36 UTC
From secunia advisory:

A vulnerability has been reported in Bugzilla, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application's web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change certain bug data or execute certain administrative tasks by tricking a logged in user into visiting a malicious web site.

The vulnerability is reported in versions 4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2.

Update to version 4.0.5 or 4.2.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-02-25 20:03:36 UTC
CVE-2012-0453 (
  Cross-site request forgery (CSRF) vulnerability in xmlrpc.cgi in Bugzilla
  4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2, when mod_perl is used, allows
  remote attackers to hijack the authentication of arbitrary users for
  requests that modify the product's installation via the XML-RPC API.
Comment 2 Christian Ruppert (idl0r) gentoo-dev 2012-02-28 14:53:35 UTC
4.0.5 and 4.2 are in gentoo-x86 now.
Comment 3 Agostino Sarubbo gentoo-dev 2012-02-29 13:03:19 UTC
(In reply to comment #2)
> 4.0.5 and 4.2 are in gentoo-x86 now.

Thanks, fixed.