7.5
CVE-2015-2204
- EPSS 3.17%
- Veröffentlicht 01.02.2018 17:29:01
- Zuletzt bearbeitet 21.11.2024 02:26:59
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginEvergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Evergreen-ils ≫ Evergreen Version < 2.5.9
Evergreen-ils ≫ Evergreen Version >= 2.6.0 < 2.6.7
Evergreen-ils ≫ Evergreen Version >= 2.7.0 < 2.7.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.17% | 0.864 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
http://www.openwall.com/lists/oss-security/2015/03/04/3
http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
http://www.securityfocus.com/bid/72889
https://bugs.launchpad.net/evergreen/+bug/1424755