CVE-2012-0465

Bugzilla 3.5.x-3.6.8, 3.7.x-4.0.5, 4.1.x-4.2.0 - Authentication Bypass via X-Forwarded-For Header

Title source: llm
STIX 2.1

Description

Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP header, which allows remote attackers to bypass the lockout policy via a series of authentication requests with (1) different IP address strings in this header or (2) a long string in this header.

References (5)

Core 5
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079604.html
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-04/0135.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079481.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079432.html

Scores

EPSS 0.0123
EPSS Percentile 65.7%

Details

CWE
CWE-264
Status published
Products (24)
mozilla/bugzilla 3.5.1
mozilla/bugzilla 3.5.2
mozilla/bugzilla 3.5.3
mozilla/bugzilla 3.6.0
mozilla/bugzilla 3.6.1
mozilla/bugzilla 3.6.2
mozilla/bugzilla 3.6.3
mozilla/bugzilla 3.6.4
mozilla/bugzilla 3.6.5
mozilla/bugzilla 3.6.6
... and 14 more
Published Apr 27, 2012
Tracked Since Feb 18, 2026