Vulnerability Details : CVE-2015-5255
Adobe BlazeDS, as used in ColdFusion 10 before Update 18 and 11 before Update 7 and LiveCycle Data Services 3.0.x before 3.0.0.354175, 3.1.x before 3.1.0.354180, 4.5.x before 4.5.1.354177, 4.6.2.x before 4.6.2.354178, and 4.7.x before 4.7.0.354178, allows remote attackers to send HTTP traffic to intranet servers via a crafted XML document, related to a Server-Side Request Forgery (SSRF) issue.
Vulnerability category: Server-side request forgery (SSRF) Input validation
Products affected by CVE-2015-5255
- cpe:2.3:a:hp:xp_p9000_command_view_advanced_edition:-:*:*:*:*:*:*:*
- cpe:2.3:a:hp:xp7_command_view_advanced_edition:-:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:*:update17:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:*:update6:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle_data_services:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle_data_services:4.5:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle_data_services:4.6:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle_data_services:4.7:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-5255
0.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 66 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-5255
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2015-5255
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-5255
-
http://www.securitytracker.com/id/1034210
Adobe LiveCycle XML Document Processing Flaw Lets Remote Users Conduct Cross-Site Request Forgery Attacks - SecurityTracker
-
http://www.vmware.com/security/advisories/VMSA-2015-0008.html
VMSA-2015-0008.2
-
http://packetstormsecurity.com/files/134506/Apache-Flex-BlazeDS-4.7.1-SSRF.html
Apache Flex BlazeDS 4.7.1 SSRF ≈ Packet Storm
-
https://helpx.adobe.com/security/products/livecycleds/apsb15-30.html
Adobe Security BulletinPatch;Vendor Advisory
-
http://www.securityfocus.com/bid/77626
Multiple Adobe Products CVE-2015-5255 Server Side Request Forgery Security Bypass Vulnerability
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05073670
HPSBST03568 rev.1 - HP XP7 Command View Advanced Edition Suite including Device Manager and Hitachi Automation Director (HAD), Remote Server-Side Request Forgery (SSRF)Third Party Advisory
-
http://www.securityfocus.com/archive/1/536958/100/0/threaded
SecurityFocus
-
https://helpx.adobe.com/security/products/coldfusion/apsb15-29.html
Adobe Security BulletinPatch;Vendor Advisory
-
http://marc.info/?l=bugtraq&m=145996963420108&w=2
'[security bulletin] HPSBST03568 rev.1 - HP XP7 Command View Advanced Edition Suite including Device ' - MARCThird Party Advisory
Jump to