CVE-2012-0465
Bugzilla 3.5.x-3.6.8, 3.7.x-4.0.5, 4.1.x-4.2.0 - Authentication Bypass via X-Forwarded-For Header
Title source: llmDescription
Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP header, which allows remote attackers to bypass the lockout policy via a series of authentication requests with (1) different IP address strings in this header or (2) a long string in this header.
References (5)
Core 5
Core References
Patch x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=728639
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079604.html
Third Party Advisory mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-04/0135.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079481.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079432.html
Scores
EPSS
0.0123
EPSS Percentile
65.7%
Details
CWE
CWE-264
Status
published
Products (24)
mozilla/bugzilla
3.5.1
mozilla/bugzilla
3.5.2
mozilla/bugzilla
3.5.3
mozilla/bugzilla
3.6.0
mozilla/bugzilla
3.6.1
mozilla/bugzilla
3.6.2
mozilla/bugzilla
3.6.3
mozilla/bugzilla
3.6.4
mozilla/bugzilla
3.6.5
mozilla/bugzilla
3.6.6
... and 14 more
Published
Apr 27, 2012
Tracked Since
Feb 18, 2026