Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment information by leveraging a role as a flag recipient, related to Bug.pm, Flag.pm, and a mail template.
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Bugzilla | Mozilla | 2.0 (including) | 2.0 (including) |
| Bugzilla | Mozilla | 2.2 (including) | 2.2 (including) |
| Bugzilla | Mozilla | 2.4 (including) | 2.4 (including) |
| Bugzilla | Mozilla | 2.6 (including) | 2.6 (including) |
| Bugzilla | Mozilla | 2.8 (including) | 2.8 (including) |
| Bugzilla | Mozilla | 2.9 (including) | 2.9 (including) |
| Bugzilla | Mozilla | 2.10 (including) | 2.10 (including) |
| Bugzilla | Mozilla | 2.12 (including) | 2.12 (including) |
| Bugzilla | Mozilla | 2.14 (including) | 2.14 (including) |
| Bugzilla | Mozilla | 2.14.1 (including) | 2.14.1 (including) |
| Bugzilla | Mozilla | 2.14.2 (including) | 2.14.2 (including) |
| Bugzilla | Mozilla | 2.14.3 (including) | 2.14.3 (including) |
| Bugzilla | Mozilla | 2.14.4 (including) | 2.14.4 (including) |
| Bugzilla | Mozilla | 2.14.5 (including) | 2.14.5 (including) |
| Bugzilla | Mozilla | 2.16 (including) | 2.16 (including) |
| Bugzilla | Mozilla | 2.16-rc1 (including) | 2.16-rc1 (including) |
| Bugzilla | Mozilla | 2.16-rc2 (including) | 2.16-rc2 (including) |
| Bugzilla | Mozilla | 2.16.1 (including) | 2.16.1 (including) |
| Bugzilla | Mozilla | 2.16.2 (including) | 2.16.2 (including) |
| Bugzilla | Mozilla | 2.16.3 (including) | 2.16.3 (including) |
| Bugzilla | Mozilla | 2.16.4 (including) | 2.16.4 (including) |
| Bugzilla | Mozilla | 2.16.5 (including) | 2.16.5 (including) |
| Bugzilla | Mozilla | 2.16.6 (including) | 2.16.6 (including) |
| Bugzilla | Mozilla | 2.16.7 (including) | 2.16.7 (including) |
| Bugzilla | Mozilla | 2.16.8 (including) | 2.16.8 (including) |
| Bugzilla | Mozilla | 2.16.9 (including) | 2.16.9 (including) |
| Bugzilla | Mozilla | 2.16.10 (including) | 2.16.10 (including) |
| Bugzilla | Mozilla | 2.16.11 (including) | 2.16.11 (including) |
| Bugzilla | Mozilla | 2.16_rc2 (including) | 2.16_rc2 (including) |
| Bugzilla | Mozilla | 2.17 (including) | 2.17 (including) |
| Bugzilla | Mozilla | 2.17.1 (including) | 2.17.1 (including) |
| Bugzilla | Mozilla | 2.17.2 (including) | 2.17.2 (including) |
| Bugzilla | Mozilla | 2.17.3 (including) | 2.17.3 (including) |
| Bugzilla | Mozilla | 2.17.4 (including) | 2.17.4 (including) |
| Bugzilla | Mozilla | 2.17.5 (including) | 2.17.5 (including) |
| Bugzilla | Mozilla | 2.17.6 (including) | 2.17.6 (including) |
| Bugzilla | Mozilla | 2.17.7 (including) | 2.17.7 (including) |
| Bugzilla | Mozilla | 2.18 (including) | 2.18 (including) |
| Bugzilla | Mozilla | 2.18-rc1 (including) | 2.18-rc1 (including) |
| Bugzilla | Mozilla | 2.18-rc2 (including) | 2.18-rc2 (including) |
| Bugzilla | Mozilla | 2.18-rc3 (including) | 2.18-rc3 (including) |
| Bugzilla | Mozilla | 2.18.1 (including) | 2.18.1 (including) |
| Bugzilla | Mozilla | 2.18.2 (including) | 2.18.2 (including) |
| Bugzilla | Mozilla | 2.18.3 (including) | 2.18.3 (including) |
| Bugzilla | Mozilla | 2.18.4 (including) | 2.18.4 (including) |
| Bugzilla | Mozilla | 2.18.5 (including) | 2.18.5 (including) |
| Bugzilla | Mozilla | 2.18.6 (including) | 2.18.6 (including) |
| Bugzilla | Mozilla | 2.18.6+ (including) | 2.18.6+ (including) |
| Bugzilla | Mozilla | 2.18.7 (including) | 2.18.7 (including) |
| Bugzilla | Mozilla | 2.18.8 (including) | 2.18.8 (including) |
| Bugzilla | Mozilla | 2.18.9 (including) | 2.18.9 (including) |
| Bugzilla | Mozilla | 2.19 (including) | 2.19 (including) |
| Bugzilla | Mozilla | 2.19.1 (including) | 2.19.1 (including) |
| Bugzilla | Mozilla | 2.19.2 (including) | 2.19.2 (including) |
| Bugzilla | Mozilla | 2.19.3 (including) | 2.19.3 (including) |
| Bugzilla | Mozilla | 2.20 (including) | 2.20 (including) |
| Bugzilla | Mozilla | 2.20-rc1 (including) | 2.20-rc1 (including) |
| Bugzilla | Mozilla | 2.20-rc2 (including) | 2.20-rc2 (including) |
| Bugzilla | Mozilla | 2.20.1 (including) | 2.20.1 (including) |
| Bugzilla | Mozilla | 2.20.2 (including) | 2.20.2 (including) |
| Bugzilla | Mozilla | 2.20.3 (including) | 2.20.3 (including) |
| Bugzilla | Mozilla | 2.20.4 (including) | 2.20.4 (including) |
| Bugzilla | Mozilla | 2.20.5 (including) | 2.20.5 (including) |
| Bugzilla | Mozilla | 2.20.6 (including) | 2.20.6 (including) |
| Bugzilla | Mozilla | 2.20.7 (including) | 2.20.7 (including) |
| Bugzilla | Mozilla | 2.21 (including) | 2.21 (including) |
| Bugzilla | Mozilla | 2.21.1 (including) | 2.21.1 (including) |
| Bugzilla | Mozilla | 2.21.2 (including) | 2.21.2 (including) |
| Bugzilla | Mozilla | 2.21.2-rc1 (including) | 2.21.2-rc1 (including) |
| Bugzilla | Mozilla | 2.22 (including) | 2.22 (including) |
| Bugzilla | Mozilla | 2.22-rc1 (including) | 2.22-rc1 (including) |
| Bugzilla | Mozilla | 2.22.1 (including) | 2.22.1 (including) |
| Bugzilla | Mozilla | 2.22.2 (including) | 2.22.2 (including) |
| Bugzilla | Mozilla | 2.22.3 (including) | 2.22.3 (including) |
| Bugzilla | Mozilla | 2.22.4 (including) | 2.22.4 (including) |
| Bugzilla | Mozilla | 2.22.5 (including) | 2.22.5 (including) |
| Bugzilla | Mozilla | 2.22.6 (including) | 2.22.6 (including) |
| Bugzilla | Mozilla | 2.22.7 (including) | 2.22.7 (including) |
| Bugzilla | Mozilla | 2.23 (including) | 2.23 (including) |
| Bugzilla | Mozilla | 2.23.1 (including) | 2.23.1 (including) |
| Bugzilla | Mozilla | 2.23.2 (including) | 2.23.2 (including) |
| Bugzilla | Mozilla | 2.23.3 (including) | 2.23.3 (including) |
| Bugzilla | Mozilla | 2.23.4 (including) | 2.23.4 (including) |
| Bugzilla | Mozilla | 3.0 (including) | 3.0 (including) |
| Bugzilla | Mozilla | 3.0-rc1 (including) | 3.0-rc1 (including) |
| Bugzilla | Mozilla | 3.0.0 (including) | 3.0.0 (including) |
| Bugzilla | Mozilla | 3.0.1 (including) | 3.0.1 (including) |
| Bugzilla | Mozilla | 3.0.2 (including) | 3.0.2 (including) |
| Bugzilla | Mozilla | 3.0.3 (including) | 3.0.3 (including) |
| Bugzilla | Mozilla | 3.0.4 (including) | 3.0.4 (including) |
| Bugzilla | Mozilla | 3.0.5 (including) | 3.0.5 (including) |
| Bugzilla | Mozilla | 3.0.6 (including) | 3.0.6 (including) |
| Bugzilla | Mozilla | 3.0.7 (including) | 3.0.7 (including) |
| Bugzilla | Mozilla | 3.0.8 (including) | 3.0.8 (including) |
| Bugzilla | Mozilla | 3.0.9 (including) | 3.0.9 (including) |
| Bugzilla | Mozilla | 3.0.10 (including) | 3.0.10 (including) |
| Bugzilla | Mozilla | 3.0.11 (including) | 3.0.11 (including) |
| Bugzilla | Mozilla | 3.0_rc1 (including) | 3.0_rc1 (including) |
| Bugzilla | Mozilla | 3.1.0 (including) | 3.1.0 (including) |
| Bugzilla | Mozilla | 3.1.1 (including) | 3.1.1 (including) |
| Bugzilla | Mozilla | 3.1.2 (including) | 3.1.2 (including) |
| Bugzilla | Mozilla | 3.1.3 (including) | 3.1.3 (including) |
| Bugzilla | Mozilla | 3.1.4 (including) | 3.1.4 (including) |
| Bugzilla | Mozilla | 3.2 (including) | 3.2 (including) |
| Bugzilla | Mozilla | 3.2-rc1 (including) | 3.2-rc1 (including) |
| Bugzilla | Mozilla | 3.2-rc2 (including) | 3.2-rc2 (including) |
| Bugzilla | Mozilla | 3.2.1 (including) | 3.2.1 (including) |
| Bugzilla | Mozilla | 3.2.2 (including) | 3.2.2 (including) |
| Bugzilla | Mozilla | 3.2.3 (including) | 3.2.3 (including) |
| Bugzilla | Mozilla | 3.2.4 (including) | 3.2.4 (including) |
| Bugzilla | Mozilla | 3.2.5 (including) | 3.2.5 (including) |
| Bugzilla | Mozilla | 3.2.6 (including) | 3.2.6 (including) |
| Bugzilla | Mozilla | 3.2.7 (including) | 3.2.7 (including) |
| Bugzilla | Mozilla | 3.2.8 (including) | 3.2.8 (including) |
| Bugzilla | Mozilla | 3.2.9 (including) | 3.2.9 (including) |
| Bugzilla | Mozilla | 3.2.10 (including) | 3.2.10 (including) |
| Bugzilla | Mozilla | 3.3 (including) | 3.3 (including) |
| Bugzilla | Mozilla | 3.3.1 (including) | 3.3.1 (including) |
| Bugzilla | Mozilla | 3.3.2 (including) | 3.3.2 (including) |
| Bugzilla | Mozilla | 3.3.3 (including) | 3.3.3 (including) |
| Bugzilla | Mozilla | 3.3.4 (including) | 3.3.4 (including) |
| Bugzilla | Mozilla | 3.4 (including) | 3.4 (including) |
| Bugzilla | Mozilla | 3.4-rc1 (including) | 3.4-rc1 (including) |
| Bugzilla | Mozilla | 3.4.1 (including) | 3.4.1 (including) |
| Bugzilla | Mozilla | 3.4.2 (including) | 3.4.2 (including) |
| Bugzilla | Mozilla | 3.4.3 (including) | 3.4.3 (including) |
| Bugzilla | Mozilla | 3.4.4 (including) | 3.4.4 (including) |
| Bugzilla | Mozilla | 3.4.5 (including) | 3.4.5 (including) |
| Bugzilla | Mozilla | 3.4.6 (including) | 3.4.6 (including) |
| Bugzilla | Mozilla | 3.4.7 (including) | 3.4.7 (including) |
| Bugzilla | Mozilla | 3.4.8 (including) | 3.4.8 (including) |
| Bugzilla | Mozilla | 3.4.9 (including) | 3.4.9 (including) |
| Bugzilla | Mozilla | 3.4.10 (including) | 3.4.10 (including) |
| Bugzilla | Mozilla | 3.4.11 (including) | 3.4.11 (including) |
| Bugzilla | Mozilla | 3.4.12 (including) | 3.4.12 (including) |
| Bugzilla | Mozilla | 3.4.13 (including) | 3.4.13 (including) |
| Bugzilla | Mozilla | 3.5 (including) | 3.5 (including) |
| Bugzilla | Mozilla | 3.5.1 (including) | 3.5.1 (including) |
| Bugzilla | Mozilla | 3.5.2 (including) | 3.5.2 (including) |
| Bugzilla | Mozilla | 3.5.3 (including) | 3.5.3 (including) |
| Bugzilla | Mozilla | 3.6 (including) | 3.6 (including) |
| Bugzilla | Mozilla | 3.6-rc1 (including) | 3.6-rc1 (including) |
| Bugzilla | Mozilla | 3.6.0 (including) | 3.6.0 (including) |
| Bugzilla | Mozilla | 3.6.1 (including) | 3.6.1 (including) |
| Bugzilla | Mozilla | 3.6.2 (including) | 3.6.2 (including) |
| Bugzilla | Mozilla | 3.6.3 (including) | 3.6.3 (including) |
| Bugzilla | Mozilla | 3.6.4 (including) | 3.6.4 (including) |
| Bugzilla | Mozilla | 3.6.5 (including) | 3.6.5 (including) |
| Bugzilla | Mozilla | 3.6.6 (including) | 3.6.6 (including) |
| Bugzilla | Mozilla | 3.6.7 (including) | 3.6.7 (including) |
| Bugzilla | Mozilla | 3.6.8 (including) | 3.6.8 (including) |
| Bugzilla | Mozilla | 3.6.9 (including) | 3.6.9 (including) |
| Bugzilla | Mozilla | 3.6.10 (including) | 3.6.10 (including) |
| Bugzilla | Mozilla | 3.6.11 (including) | 3.6.11 (including) |
| Bugzilla | Mozilla | 3.6.12 (including) | 3.6.12 (including) |
| Bugzilla | Mozilla | 3.6.13 (including) | 3.6.13 (including) |
| Bugzilla | Mozilla | 3.7 (including) | 3.7 (including) |
| Bugzilla | Mozilla | 3.7.1 (including) | 3.7.1 (including) |
| Bugzilla | Mozilla | 3.7.2 (including) | 3.7.2 (including) |
| Bugzilla | Mozilla | 3.7.3 (including) | 3.7.3 (including) |
| Bugzilla | Mozilla | 4.0 (including) | 4.0 (including) |
| Bugzilla | Mozilla | 4.0-rc1 (including) | 4.0-rc1 (including) |
| Bugzilla | Mozilla | 4.0-rc2 (including) | 4.0-rc2 (including) |
| Bugzilla | Mozilla | 4.0.1 (including) | 4.0.1 (including) |
| Bugzilla | Mozilla | 4.0.10 (including) | 4.0.10 (including) |
| Bugzilla | Mozilla | 4.0.11 (including) | 4.0.11 (including) |
| Bugzilla | Mozilla | 4.0.12 (including) | 4.0.12 (including) |
| Bugzilla | Mozilla | 4.0.13 (including) | 4.0.13 (including) |
| Bugzilla | Mozilla | 4.0.14 (including) | 4.0.14 (including) |
| Bugzilla | Mozilla | 4.1 (including) | 4.1 (including) |
| Bugzilla | Mozilla | 4.1.1 (including) | 4.1.1 (including) |
| Bugzilla | Mozilla | 4.1.2 (including) | 4.1.2 (including) |
| Bugzilla | Mozilla | 4.1.3 (including) | 4.1.3 (including) |
| Bugzilla | Mozilla | 4.2 (including) | 4.2 (including) |
| Bugzilla | Mozilla | 4.2-rc1 (including) | 4.2-rc1 (including) |
| Bugzilla | Mozilla | 4.2-rc2 (including) | 4.2-rc2 (including) |
| Bugzilla | Mozilla | 4.2.1 (including) | 4.2.1 (including) |
| Bugzilla | Mozilla | 4.2.2 (including) | 4.2.2 (including) |
| Bugzilla | Mozilla | 4.2.3 (including) | 4.2.3 (including) |
| Bugzilla | Mozilla | 4.2.4 (including) | 4.2.4 (including) |
| Bugzilla | Mozilla | 4.2.5 (including) | 4.2.5 (including) |
| Bugzilla | Mozilla | 4.2.6 (including) | 4.2.6 (including) |
| Bugzilla | Mozilla | 4.2.7 (including) | 4.2.7 (including) |
| Bugzilla | Mozilla | 4.2.8 (including) | 4.2.8 (including) |
| Bugzilla | Mozilla | 4.2.9 (including) | 4.2.9 (including) |
| Bugzilla | Mozilla | 4.2.10 (including) | 4.2.10 (including) |
| Bugzilla | Mozilla | 4.3 (including) | 4.3 (including) |
| Bugzilla | Mozilla | 4.3.1 (including) | 4.3.1 (including) |
| Bugzilla | Mozilla | 4.3.2 (including) | 4.3.2 (including) |
| Bugzilla | Mozilla | 4.3.3 (including) | 4.3.3 (including) |
| Bugzilla | Mozilla | 4.4 (including) | 4.4 (including) |
| Bugzilla | Mozilla | 4.4-rc1 (including) | 4.4-rc1 (including) |
| Bugzilla | Mozilla | 4.4-rc2 (including) | 4.4-rc2 (including) |
| Bugzilla | Mozilla | 4.4.1 (including) | 4.4.1 (including) |
| Bugzilla | Mozilla | 4.4.2 (including) | 4.4.2 (including) |
| Bugzilla | Mozilla | 4.4.3 (including) | 4.4.3 (including) |
| Bugzilla | Mozilla | 4.4.4 (including) | 4.4.4 (including) |
| Bugzilla | Mozilla | 4.4.5 (including) | 4.4.5 (including) |
| Bugzilla | Mozilla | 4.5 (including) | 4.5 (including) |
| Bugzilla | Mozilla | 4.5.1 (including) | 4.5.1 (including) |
| Bugzilla | Mozilla | 4.5.2 (including) | 4.5.2 (including) |
| Bugzilla | Mozilla | 4.5.3 (including) | 4.5.3 (including) |
| Bugzilla | Mozilla | 4.5.4 (including) | 4.5.4 (including) |
| Bugzilla | Mozilla | 4.5.5 (including) | 4.5.5 (including) |
| Bugzilla | Ubuntu | lucid | * |
There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. Some kinds of sensitive information include:
Information might be sensitive to different parties, each of which may have their own expectations for whether the information should be protected. These parties include:
Information exposures can occur in different ways:
It is common practice to describe any loss of confidentiality as an “information exposure,” but this can lead to overuse of CWE-200 in CWE mapping. From the CWE perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure file permissions or out-of-bounds read. CWE-200 and its lower-level descendants are intended to cover the mistakes that occur in behaviors that explicitly manage, store, transfer, or cleanse sensitive information.