Bug 1295438 - (CVE-2015-8509) CVE-2015-8509 bugzilla: information leak when parsing the CSV file
CVE-2015-8509 bugzilla: information leak when parsing the CSV file
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1295439
  Show dependency treegraph
Reported: 2016-01-04 08:58 EST by Martin Prpič
Modified: 2016-08-23 02:00 EDT (History)
3 users (show)

See Also:
Fixed In Version: bugzilla 4.2.16, bugzilla 4.4.11, bugzilla 5.0.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Martin Prpič 2016-01-04 08:58:30 EST
Upstream Bugzilla fixed the following issue:

If an external HTML page contains a <script> element with its src attribute pointing to a buglist in CSV format, some web browsers incorrectly try to parse the CSV file as valid JavaScript code. As the buglist is generated based on the privileges of the user logged into Bugzilla, the external page could collect confidential data contained in the CSV file.

This issue was fixed in versions 4.2.16, 4.4.11, and 5.0.2.

Upstream bug:

Comment 1 Martin Prpič 2016-01-04 08:59:02 EST
Created bugzilla tracking bugs for this issue:

Affects: fedora-all [bug 1295439]
Comment 2 Emmanuel Seyman 2016-07-14 03:52:35 EDT
The update that fixes this issue was published late 2015 (this is update FEDORA-2015-247b517a18, btw). I'm quite confident that this bug can be closed.

Note You need to log in before you can comment on or make changes to this bug.