CVE-2015-2204 - Vulnerability Details - OpenCVE

Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Evergreen-ils	Evergreen

Configuration 1 [-]

OR	cpe:2.3:a:evergreen-ils:evergreen::::::::
	cpe:2.3:a:evergreen-ils:evergreen::::::::
	cpe:2.3:a:evergreen-ils:evergreen::::::::

No data.

References

Link	Providers
http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
http://www.openwall.com/lists/oss-security/2015/03/04/3
http://www.securityfocus.com/bid/72889
https://bugs.launchpad.net/evergreen/+bug/1424755

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-02-01T17:00:00

Updated: 2024-08-06T05:10:15.332Z

Reserved: 2015-03-03T00:00:00

Link: CVE-2015-2204

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-02-01T17:29:01.167

Modified: 2024-11-21T02:26:59.840

Link: CVE-2015-2204

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-03-03T00:00:00", "descriptions": [{"lang": "en", "value": "Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-01T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4"}, {"name": "[oss-security] 20150303 Re: CVE request - Evergreen", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/03/04/3"}, {"name": "72889", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/72889"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/evergreen/+bug/1424755"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-2204", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4", "refsource": "CONFIRM", "url": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4"}, {"name": "[oss-security] 20150303 Re: CVE request - Evergreen", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/03/04/3"}, {"name": "72889", "refsource": "BID", "url": "http://www.securityfocus.com/bid/72889"}, {"name": "http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=3a0f1cc7b2efa517ee4cd4c6a682237554fed307", "refsource": "CONFIRM", "url": "http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=3a0f1cc7b2efa517ee4cd4c6a682237554fed307"}, {"name": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7", "refsource": "CONFIRM", "url": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7"}, {"name": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9", "refsource": "CONFIRM", "url": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9"}, {"name": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/", "refsource": "CONFIRM", "url": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/"}, {"name": "https://bugs.launchpad.net/evergreen/+bug/1424755", "refsource": "CONFIRM", "url": "https://bugs.launchpad.net/evergreen/+bug/1424755"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:10:15.332Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4"}, {"name": "[oss-security] 20150303 Re: CVE request - Evergreen", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/03/04/3"}, {"name": "72889", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/72889"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/evergreen/+bug/1424755"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-2204", "datePublished": "2018-02-01T17:00:00", "dateReserved": "2015-03-03T00:00:00", "dateUpdated": "2024-08-06T05:10:15.332Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C011F2C-C3E1-45E5-B0EC-9062E9BC4D49", "versionEndExcluding": "2.5.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*", "matchCriteriaId": "3FF50689-92F5-49E6-9F28-D3D4EE097BC7", "versionEndExcluding": "2.6.7", "versionStartIncluding": "2.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6DCEDFF-4A88-4931-B550-E3E0E3E58C99", "versionEndExcluding": "2.7.4", "versionStartIncluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided."}, {"lang": "es", "value": "Evergreen en versiones anteriores a la 2.5.9, 2.6.x anteriores a la 2.6.7 y 2.7.x anteriores a la 2.7.4 permite que atacantes remotos omitan una restricci\u00f3n de acceso y obtengan informaci\u00f3n sensible sobre la configuraci\u00f3n de las unidades organizativas aprovech\u00e1ndose del fallo open-ils.actor.ou_setting.ancestor_default para hacer cumplir view_perm cuando no se proporciona ning\u00fan token de autenticaci\u00f3n."}], "id": "CVE-2015-2204", "lastModified": "2024-11-21T02:26:59.840", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-01T17:29:01.167", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Release Notes"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Release Notes"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Release Notes"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Release Notes"], "url": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/"}, {"source": "cve@mitre.org", "url": "http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/03/04/3"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/72889"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.launchpad.net/evergreen/+bug/1424755"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Release Notes"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Release Notes"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Release Notes"], "url": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Release Notes"], "url": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/03/04/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/72889"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.launchpad.net/evergreen/+bug/1424755"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}