CVE-2012-4198

Published: Nov 16, 2012Modified: Apr 29, 2026

4.0

Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability: 8.0 / Impact: 2.9

Source: NVD

Description

The User.get method in Bugzilla/WebService/User.pm in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 has a different outcome for a groups request depending on whether a group exists, which allows remote authenticated users to discover private group names by observing whether a call throws an error.

Affected (29)

Products: Mozilla: Bugzilla

Mozilla

1 product

Bugzilla

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Mozilla Bugzilla	Version 3.7.1
Mozilla Bugzilla	Version 3.7.2
Mozilla Bugzilla	Version 3.7.3
Mozilla Bugzilla	Version 3.7

Configuration B

11 vulnerable

Vulnerable Software	Affected Versions
Mozilla Bugzilla	Version 4.0.1
Mozilla Bugzilla	Version 4.0.2
Mozilla Bugzilla	Version 4.0.3
Mozilla Bugzilla	Version 4.0.4
Mozilla Bugzilla	Version 4.0.5
Mozilla Bugzilla	Version 4.0.6
Mozilla Bugzilla	Version 4.0.7
Mozilla Bugzilla	Version 4.0.8
Mozilla Bugzilla	Version 4.0
Mozilla Bugzilla	Version 4.0 rc1
Mozilla Bugzilla	Version 4.0 rc2

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Mozilla Bugzilla	Version 4.1.1
Mozilla Bugzilla	Version 4.1.2
Mozilla Bugzilla	Version 4.1.3
Mozilla Bugzilla	Version 4.1

Configuration D

6 vulnerable

Vulnerable Software	Affected Versions
Mozilla Bugzilla	Version 4.2.1
Mozilla Bugzilla	Version 4.2.2
Mozilla Bugzilla	Version 4.2.3
Mozilla Bugzilla	Version 4.2
Mozilla Bugzilla	Version 4.2 rc1
Mozilla Bugzilla	Version 4.2 rc2