Description
Bugzilla 2.16.x before 2.16.3, 2.17.x before 2.17.4, and earlier versions allows local users to overwrite arbitrary files via a symlink attack on temporary files that are created in directories with group-writable or world-writable permissions.
Product(s):
- Mozilla Bugzilla 2.10
- Mozilla Bugzilla 2.12
- Mozilla Bugzilla 2.14.1
- Mozilla Bugzilla 2.14.2
- Mozilla Bugzilla 2.14.3
- Mozilla Bugzilla 2.14.4
- Mozilla Bugzilla 2.14.5
- Mozilla Bugzilla 2.14
- Mozilla Bugzilla 2.16.1
- Mozilla Bugzilla 2.16.2
- Mozilla Bugzilla 2.16
- Mozilla Bugzilla 2.16 rc1
- Mozilla Bugzilla 2.16 release candidate 2
- Mozilla Bugzilla 2.17.1
- Mozilla Bugzilla 2.17.3
- Mozilla Bugzilla 2.17
Question to Ask Vendors:
- Can you confirm whether your systems are affected by CVE-2003-0603, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2003-0603 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions:
- Check out the advisory links provided below.