A critical security vulnerability in the popular online bug-tracking-and-testing tool Bugzilla has been patched, and users are advised to update to new releases as soon as possible.
The successful exploitation of the flaw in question could allow attackers to access reports about unfixed vulnerabilities in a number of software – information that can be misused by the attackers themselves or sold on to cyber crooks or spies for big money.
A number of well known organizations and projects use Bugzilla: the Mozilla Foundation, the the Linux kernel project, GNOME, Apache, Red Hat, Libre Office, the Wikimedia Foundation, and many more.
The software they produce and maintain is used around the world, so you can see how knowing about vulnerabilities before they are fixed could come in handy to many malicious actors.
The latest Bugzilla releases (4.5.6, 4.4.6, 4.2.11, and 4.0.15) solve this and three other security issues, as detailed in this advisory. The releases can be picked up here, and the same goes for patches if users are unable to upgrade their software at this time.
“There is no way to find out if anyone did exploit this other than going through user list and seeing if you have a suspicious user there,” Shahar Tal, vulnerability research team leader for Check Point, commented.