CVE-2008-4437

Published: Oct 3, 2008Modified: Apr 23, 2026

7.1

Vector

AV:N/AC:M/Au:N/C:C/I:N/A:N

Exploitability: 8.6 / Impact: 6.9

Source: NVD

Description

Directory traversal vulnerability in importxml.pl in Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path is enabled, allows remote attackers to read arbitrary files via an XML file with a .. (dot dot) in the data element.

Affected (18)

Products: Mozilla: Bugzilla

1 product

Configuration A

18 vulnerable

Vulnerable Software	Affected Versions
Mozilla Bugzilla	Version 2.22.1
Mozilla Bugzilla	Version 2.22.2
Mozilla Bugzilla	Version 2.22.3
Mozilla Bugzilla	Version 2.22.4
Mozilla Bugzilla	Version 2.23.1
Mozilla Bugzilla	Version 2.23.2
Mozilla Bugzilla	Version 2.23.3
Mozilla Bugzilla	Version 2.23.4
Mozilla Bugzilla	Version 2.23
Mozilla Bugzilla	Version 2.4
Mozilla Bugzilla	Version 2.6
Mozilla Bugzilla	Version 2.8
Mozilla Bugzilla	Version 2.9
Mozilla Bugzilla	Version 3.0.2
Mozilla Bugzilla	Version 3.1.1
Mozilla Bugzilla	Version 3.1.2
Mozilla Bugzilla	Version 3.1.3
Mozilla Bugzilla	Version 3.1.4

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (20)

http://secunia.com/advisories/31444

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/34361

Source: cve@mitre.org

http://www.bugzilla.org/security/2.22.4/

Source: cve@mitre.org

http://www.securityfocus.com/bid/30661

Source: cve@mitre.org

ExploitPatch

http://www.securitytracker.com/id?1020668

Source: cve@mitre.org

http://www.vupen.com/english/advisories/2008/2344

Source: cve@mitre.org

https://bugzilla.mozilla.org/show_bug.cgi?id=437169

Source: cve@mitre.org

Exploit

https://exchange.xforce.ibmcloud.com/vulnerabilities/44407

Source: cve@mitre.org

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html

Source: cve@mitre.org

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html

Source: cve@mitre.org

http://secunia.com/advisories/31444

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/34361

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.bugzilla.org/security/2.22.4/

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/30661

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatch

http://www.securitytracker.com/id?1020668

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.vupen.com/english/advisories/2008/2344

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.mozilla.org/show_bug.cgi?id=437169

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

https://exchange.xforce.ibmcloud.com/vulnerabilities/44407

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.