CVE-2015-2203 - Vulnerability Details - OpenCVE

Evergreen 2.5.9, 2.6.7, and 2.7.4 allows remote authenticated users with STAFF_LOGIN permission to obtain sensitive settings history information by leveraging listing of open-ils.pcrud as a controller in the IDL.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Evergreen-ils	Evergreen

Configuration 1 [-]

OR	cpe:2.3:a:evergreen-ils:evergreen:2.5.9:::::::*
	cpe:2.3:a:evergreen-ils:evergreen:2.6.7:::::::*
	cpe:2.3:a:evergreen-ils:evergreen:2.7.4:::::::*

No data.

References

Link	Providers
http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=ac588e879cf73ff1b65617e0bd273361d3529063
http://www.openwall.com/lists/oss-security/2015/03/04/3
http://www.securityfocus.com/bid/72885
https://bugs.launchpad.net/evergreen/+bug/1206589

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-02-01T17:00:00

Updated: 2024-08-06T05:10:15.435Z

Reserved: 2015-03-03T00:00:00

Link: CVE-2015-2203

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-02-01T17:29:01.087

Modified: 2024-11-21T02:26:59.673

Link: CVE-2015-2203

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-03-03T00:00:00", "descriptions": [{"lang": "en", "value": "Evergreen 2.5.9, 2.6.7, and 2.7.4 allows remote authenticated users with STAFF_LOGIN permission to obtain sensitive settings history information by leveraging listing of open-ils.pcrud as a controller in the IDL."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-01T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4"}, {"name": "[oss-security] 20150303 Re: CVE request - Evergreen", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/03/04/3"}, {"name": "72885", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/72885"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/evergreen/+bug/1206589"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=ac588e879cf73ff1b65617e0bd273361d3529063"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-2203", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Evergreen 2.5.9, 2.6.7, and 2.7.4 allows remote authenticated users with STAFF_LOGIN permission to obtain sensitive settings history information by leveraging listing of open-ils.pcrud as a controller in the IDL."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4", "refsource": "CONFIRM", "url": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4"}, {"name": "[oss-security] 20150303 Re: CVE request - Evergreen", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/03/04/3"}, {"name": "72885", "refsource": "BID", "url": "http://www.securityfocus.com/bid/72885"}, {"name": "https://bugs.launchpad.net/evergreen/+bug/1206589", "refsource": "CONFIRM", "url": "https://bugs.launchpad.net/evergreen/+bug/1206589"}, {"name": "http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=ac588e879cf73ff1b65617e0bd273361d3529063", "refsource": "CONFIRM", "url": "http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=ac588e879cf73ff1b65617e0bd273361d3529063"}, {"name": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7", "refsource": "CONFIRM", "url": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7"}, {"name": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9", "refsource": "CONFIRM", "url": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9"}, {"name": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/", "refsource": "CONFIRM", "url": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:10:15.435Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4"}, {"name": "[oss-security] 20150303 Re: CVE request - Evergreen", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/03/04/3"}, {"name": "72885", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/72885"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/evergreen/+bug/1206589"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=ac588e879cf73ff1b65617e0bd273361d3529063"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-2203", "datePublished": "2018-02-01T17:00:00", "dateReserved": "2015-03-03T00:00:00", "dateUpdated": "2024-08-06T05:10:15.435Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:evergreen-ils:evergreen:2.5.9:*:*:*:*:*:*:*", "matchCriteriaId": "05025E13-05E4-458A-A2B1-7758B2377A08", "vulnerable": true}, {"criteria": "cpe:2.3:a:evergreen-ils:evergreen:2.6.7:*:*:*:*:*:*:*", "matchCriteriaId": "E28B1C75-954F-4CA4-B1B4-64069448F8A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:evergreen-ils:evergreen:2.7.4:*:*:*:*:*:*:*", "matchCriteriaId": "DE175643-5A24-420B-8ED5-C9398613EFDA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Evergreen 2.5.9, 2.6.7, and 2.7.4 allows remote authenticated users with STAFF_LOGIN permission to obtain sensitive settings history information by leveraging listing of open-ils.pcrud as a controller in the IDL."}, {"lang": "es", "value": "Evergreen 2.5.9, 2.6.7 y 2.7.4 permite que los usuarios autenticados remotos con permiso STAFF_LOGIN obtengan informaci\u00f3n sensible sobre el historial de configuraciones aprovech\u00e1ndose del listado de open-ils.pcrud como un controlador en el IDL."}], "id": "CVE-2015-2203", "lastModified": "2024-11-21T02:26:59.673", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-01T17:29:01.087", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Release Notes"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Release Notes"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Release Notes"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/"}, {"source": "cve@mitre.org", "url": "http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=ac588e879cf73ff1b65617e0bd273361d3529063"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/03/04/3"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/72885"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://bugs.launchpad.net/evergreen/+bug/1206589"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Release Notes"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Release Notes"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Release Notes"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=ac588e879cf73ff1b65617e0bd273361d3529063"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/03/04/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/72885"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://bugs.launchpad.net/evergreen/+bug/1206589"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}