Vulnerability Details : CVE-2015-1638
Microsoft Active Directory Federation Services (AD FS) 3.0 on Windows Server 2012 R2 does not properly handle logoff actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation, aka "Active Directory Federation Services Information Disclosure Vulnerability."
Vulnerability category: Information leak
Products affected by CVE-2015-1638
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:standard:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:datacenter:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:essentials:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-1638
1.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-1638
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST |
CWE ids for CVE-2015-1638
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-1638
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-040
Microsoft Security Bulletin MS15-040 - Important | Microsoft Docs
-
http://www.securitytracker.com/id/1032115
Microsoft Active Directory Federation Services Logout Failure Lets Local Users Access the Target User's Account - SecurityTracker
Jump to