CVE-2014-8630

medium

Published 2015-02-01 · Modified 2026-05-06

CVSS v3

—

CVSS v2

6.5

VIR risk

6.5

Description

Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security@mozilla.org — https://bugzilla.mozilla.org/show_bug.cgi?id=1079065

vendor Authored 2026-05-27

Vendor advisory: security@mozilla.org — http://www.bugzilla.org/security/4.0.15/

OS impact

OS	Version	Status	Fixed in
fedora	20	affected
fedora	21	affected

Application impact

Vendor	Product	Versions
mozilla	bugzilla	`{"endIncluding":"4.0.16"}`
mozilla	bugzilla	`4.1`
mozilla	bugzilla	`4.1.1`
mozilla	bugzilla	`4.1.2`
mozilla	bugzilla	`4.1.3`
mozilla	bugzilla	`4.2`
mozilla	bugzilla	`4.2.1`
mozilla	bugzilla	`4.2.2`
mozilla	bugzilla	`4.2.3`
mozilla	bugzilla	`4.2.4`
mozilla	bugzilla	`4.2.5`
mozilla	bugzilla	`4.2.6`
mozilla	bugzilla	`4.2.7`
mozilla	bugzilla	`4.2.8`
mozilla	bugzilla	`4.2.9`
mozilla	bugzilla	`4.2.10`
mozilla	bugzilla	`4.2.11`
mozilla	bugzilla	`4.3`
mozilla	bugzilla	`4.3.1`
mozilla	bugzilla	`4.3.2`
mozilla	bugzilla	`4.3.3`
mozilla	bugzilla	`4.4`
mozilla	bugzilla	`4.4.1`
mozilla	bugzilla	`4.4.2`
mozilla	bugzilla	`4.4.3`
mozilla	bugzilla	`4.4.4`
mozilla	bugzilla	`4.4.5`
mozilla	bugzilla	`4.4.6`
mozilla	bugzilla	`4.5`
mozilla	bugzilla	`4.5.1`
mozilla	bugzilla	`4.5.2`
mozilla	bugzilla	`4.5.3`
mozilla	bugzilla	`4.5.4`
mozilla	bugzilla	`4.5.5`
mozilla	bugzilla	`4.5.6`

References

CWEs

CWE-77

Verify integrity in audit chain (admin only). AS-IS.