Bug 1123172 (CVE-2014-1546) - CVE-2014-1546 bugzilla: Cross Site Request Forgery issue with Bugzilla's JSONP endpoint
Summary: CVE-2014-1546 bugzilla: Cross Site Request Forgery issue with Bugzilla's JSON...
Keywords:
Status: NEW
Alias: CVE-2014-1546
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20140708,repor...
Depends On: 1123173
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-25 04:29 UTC by Murray McAllister
Modified: 2019-06-08 20:07 UTC (History)
3 users (show)

Fixed In Version: bugzilla 4.0.14, bugzilla 4.2.10, bugzilla 4.4.5, bugzilla 4.5.5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Murray McAllister 2014-07-25 04:29:31 UTC
The upstream Bugzilla 4.0.14, 4.2.10, 4.4.5, 4.5.5 releases fix the following issue:

""
Adobe does not properly restrict the SWF file format,
which allows remote attackers to conduct cross-site
request forgery (CSRF) attacks against Bugzilla's JSONP
endpoint, possibly obtaining sensitive bug information,
via a crafted OBJECT element with SWF content satisfying
the character-set requirements of a callback API.

References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1036213
""

The 3.2.10 and 3.4.14 versions in EPEL 5 and 6 appear too old to be affected.

Reference:

http://www.bugzilla.org/security/4.0.13/

Comment 1 Murray McAllister 2014-07-25 04:30:38 UTC
Created bugzilla tracking bugs for this issue:

Affects: fedora-all [bug 1123173]

Comment 2 Tomas Hoger 2014-07-25 06:48:48 UTC
Note that the issue was fixed in Adobe Flash, see CVE-2014-4671 (bug 1117588).  The fix in Flash should address the issue, with Bugzilla fix only providing protection to users running outdated Flash.

Details of the attack are in the following blog post:
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

Other links can be found in bug 1117588 comment 4.

Comment 3 Fedora Update System 2014-08-01 06:02:58 UTC
bugzilla-4.2.10-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2014-08-07 15:33:38 UTC
bugzilla-4.2.10-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.