CVE-2014-8630
Bugzilla <4.0.16, <4.2.12, <4.4.7, <5.0rc1 - Command Injection
Title source: llmDescription
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.
References (7)
Core 7
Core References
Third Party Advisory x_refsource_confirm
http://advisories.mageia.org/MGASA-2015-0048.html
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1079065
Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149921.html
Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149925.html
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2015:030
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201607-11
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
http://www.bugzilla.org/security/4.0.15/
Scores
EPSS
0.0063
EPSS Percentile
70.7%
Details
CWE
CWE-77
Status
published
Products (37)
fedoraproject/fedora
20
fedoraproject/fedora
21
mozilla/bugzilla
4.1
mozilla/bugzilla
4.1.1
mozilla/bugzilla
4.1.2
mozilla/bugzilla
4.1.3
mozilla/bugzilla
4.2 (3 CPE variants)
mozilla/bugzilla
4.2.1
mozilla/bugzilla
4.2.2
mozilla/bugzilla
4.2.3
... and 27 more
Published
Feb 01, 2015
Tracked Since
Feb 18, 2026