CVE-2003-0013 - Vulnerability Details - OpenCVE

The default .htaccess scripts for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 do not include filenames for backup copies of the localconfig file that are made from editors such as vi and Emacs, which could allow remote attackers to obtain a database password by directly accessing the backup file.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mozilla	Bugzilla

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:bugzilla:2.14:::::::*
	cpe:2.3:a:mozilla:bugzilla:2.14.1:::::::*
	cpe:2.3:a:mozilla:bugzilla:2.14.2:::::::*
	cpe:2.3:a:mozilla:bugzilla:2.14.3:::::::*
	cpe:2.3:a:mozilla:bugzilla:2.14.4:::::::*
	cpe:2.3:a:mozilla:bugzilla:2.16:::::::*
	cpe:2.3:a:mozilla:bugzilla:2.16.1:::::::*
	cpe:2.3:a:mozilla:bugzilla:2.17:::::::*
	cpe:2.3:a:mozilla:bugzilla:2.17.1:::::::*

No data.

References

Link	Providers
http://marc.info/?l=bugtraq&m=104154319200399&w=2
http://www.debian.org/security/2003/dsa-230
http://www.iss.net/security_center/static/10970.php
http://www.osvdb.org/6351
http://www.securityfocus.com/bid/6501

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2004-09-01T04:00:00

Updated: 2024-08-08T01:36:25.397Z

Reserved: 2003-01-06T00:00:00

Link: CVE-2003-0013

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2003-01-17T05:00:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2003-0013

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2003-01-02T00:00:00", "descriptions": [{"lang": "en", "value": "The default .htaccess scripts for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 do not include filenames for backup copies of the localconfig file that are made from editors such as vi and Emacs, which could allow remote attackers to obtain a database password by directly accessing the backup file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2007-11-21T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "6351", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/6351"}, {"name": "6501", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/6501"}, {"name": "bugzilla-htaccess-database-password(10970)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "http://www.iss.net/security_center/static/10970.php"}, {"name": "20030102 [BUGZILLA] Security Advisory - remote database password disclosure", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=104154319200399&w=2"}, {"name": "DSA-230", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2003/dsa-230"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2003-0013", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The default .htaccess scripts for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 do not include filenames for backup copies of the localconfig file that are made from editors such as vi and Emacs, which could allow remote attackers to obtain a database password by directly accessing the backup file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "6351", "refsource": "OSVDB", "url": "http://www.osvdb.org/6351"}, {"name": "6501", "refsource": "BID", "url": "http://www.securityfocus.com/bid/6501"}, {"name": "bugzilla-htaccess-database-password(10970)", "refsource": "XF", "url": "http://www.iss.net/security_center/static/10970.php"}, {"name": "20030102 [BUGZILLA] Security Advisory - remote database password disclosure", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=104154319200399&w=2"}, {"name": "DSA-230", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2003/dsa-230"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T01:36:25.397Z"}, "title": "CVE Program Container", "references": [{"name": "6351", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/6351"}, {"name": "6501", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/6501"}, {"name": "bugzilla-htaccess-database-password(10970)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "http://www.iss.net/security_center/static/10970.php"}, {"name": "20030102 [BUGZILLA] Security Advisory - remote database password disclosure", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=104154319200399&w=2"}, {"name": "DSA-230", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2003/dsa-230"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2003-0013", "datePublished": "2004-09-01T04:00:00", "dateReserved": "2003-01-06T00:00:00", "dateUpdated": "2024-08-08T01:36:25.397Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:bugzilla:2.14:*:*:*:*:*:*:*", "matchCriteriaId": "1883A98C-E595-4F3C-87BF-A63393F9F561", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:bugzilla:2.14.1:*:*:*:*:*:*:*", "matchCriteriaId": "DD49E53A-5676-4FAC-A8A2-30FAC04C33D7", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:bugzilla:2.14.2:*:*:*:*:*:*:*", "matchCriteriaId": "1084AF8E-5269-4EFF-BBD2-C5A77945FCF2", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:bugzilla:2.14.3:*:*:*:*:*:*:*", "matchCriteriaId": "D9A4B035-B73E-48E9-BBB9-83219F5D2A95", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:bugzilla:2.14.4:*:*:*:*:*:*:*", "matchCriteriaId": "9452C271-2812-4775-8396-394C642EACFD", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:bugzilla:2.16:*:*:*:*:*:*:*", "matchCriteriaId": "F16D338E-C5BC-46E1-95DD-D9B0E25EE56E", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:bugzilla:2.16.1:*:*:*:*:*:*:*", "matchCriteriaId": "19F19219-3AFD-4D8E-B02B-BFCBD1BC7C36", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:bugzilla:2.17:*:*:*:*:*:*:*", "matchCriteriaId": "9B2FC5C7-B218-4B87-9805-F90AC0E7A281", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:bugzilla:2.17.1:*:*:*:*:*:*:*", "matchCriteriaId": "BBCDA64F-C49A-4F5B-B285-4079D8E3A499", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The default .htaccess scripts for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 do not include filenames for backup copies of the localconfig file that are made from editors such as vi and Emacs, which could allow remote attackers to obtain a database password by directly accessing the backup file."}, {"lang": "es", "value": "Los scripts .htaccess por defecto en Bugzilla 2.14.x anteriores a 2.14.5, 2.16.x anteriores a 2.16.2, y 2.17.x anteriores a 2.17.3 no bloquean el acceso a copias de seguridad del fichero localconfig que son hechas por editores como vi y Emacs, lo que podr\u00eda permitir a atacantes remotos obtener una contrase\u00f1a de la base de datos accediendo directamente al fichero copia de seguridad."}], "id": "CVE-2003-0013", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2003-01-17T05:00:00.000", "references": [{"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=104154319200399&w=2"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.debian.org/security/2003/dsa-230"}, {"source": "cve@mitre.org", "url": "http://www.iss.net/security_center/static/10970.php"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/6351"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/6501"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://marc.info/?l=bugtraq&m=104154319200399&w=2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.debian.org/security/2003/dsa-230"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.iss.net/security_center/static/10970.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.osvdb.org/6351"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/6501"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}