Vulnerability Details : CVE-2015-2859
Intel McAfee ePolicy Orchestrator (ePO) 4.x through 4.6.9 and 5.x through 5.1.2 does not validate server names and Certification Authority names in X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Products affected by CVE-2015-2859
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.9:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-2859
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 28 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-2859
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST |
CWE ids for CVE-2015-2859
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-2859
-
http://www.kb.cert.org/vuls/id/264092
VU#264092 - McAfee ePolicy Orchestrator fails to properly validate SSL/TLS certificatesThird Party Advisory;US Government Resource
-
https://kc.mcafee.com/corporate/index?page=content&id=SB10120
Patch;Vendor Advisory
-
http://www.securitytracker.com/id/1032571
McAfee ePolicy Orchestrator SSL/TLS Certificate Validation Flaw Lets Remote Users Conduct Man-in-the-Middle Attacks - SecurityTracker
-
http://www.securityfocus.com/bid/75020
McAfee ePolicy Orchestrator CVE-2015-2859 SSL Certificate Validation Security Bypass Vulnerability
-
https://kc.mcafee.com/corporate/index?page=content&id=KB84628
Patch;Vendor Advisory
Jump to