Vulnerability Details : CVE-2015-2204
Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.
Vulnerability category: Information leak
Products affected by CVE-2015-2204
- cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*
- cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*
- cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-2204
0.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-2204
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2015-2204
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-2204
-
http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
Issue Tracking;Release Notes
-
http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
git.evergreen-ils.org Git - Evergreen.git/commitIssue Tracking;Patch
-
https://bugs.launchpad.net/evergreen/+bug/1424755
Bug #1424755 “Org Unit Setting View Permissions Can Be Bypassed” : Bugs : EvergreenIssue Tracking;Vendor Advisory;Patch
-
http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
Issue Tracking;Release Notes
-
http://www.openwall.com/lists/oss-security/2015/03/04/3
oss-security - Re: CVE request - EvergreenMailing List;Issue Tracking;Third Party Advisory
-
http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
Issue Tracking;Release Notes
-
http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
SECURITY RELEASES: Evergreen 2.7.4, 2.6.7, and 2.5.9 – Evergreen ILSIssue Tracking;Patch;Release Notes
-
http://www.securityfocus.com/bid/72889
Evergreen CVE-2015-2204 Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
Jump to