Vulnerability Details : CVE-2015-2913
server/network/protocol/http/OHttpSessionManager.java in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 improperly relies on the java.util.Random class for generation of random Session ID values, which makes it easier for remote attackers to predict a value by determining the internal state of the PRNG in this class.
Vulnerability category: Information leak
Products affected by CVE-2015-2913
- cpe:2.3:a:orientdb:orientdb:2.1.0:*:*:*:community:*:*:*
- cpe:2.3:a:orientdb:orientdb:2.0.14:*:*:*:community:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-2913
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-2913
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2015-2913
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-2913
-
https://github.com/orientechnologies/orientdb/commit/668ece96be210e742a4e2820a3085b215cf55104
Adopted SecureRandom to avoid predicable random numbers in session · orientechnologies/orientdb@668ece9 · GitHubVendor Advisory
-
https://www.kb.cert.org/vuls/id/845332
VU#845332 - OrientDB and Studio prior to version 2.1.1 contain multiple vulnerabilitiesThird Party Advisory;US Government Resource
Jump to