CVE-2015-2204 Information

Feb 14, 2021 cve

Description

Evergreen before 2.5.9 2.6.x before 2.6.7 and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9 http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7 http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4 http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/ http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=3a0f1cc7b2efa517ee4cd4c6a682237554fed307 http://www.openwall.com/lists/oss-security/2015/03/04/3 http://www.securityfocus.com/bid/72889 https://bugs.launchpad.net/evergreen/+bug/1424755

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5

Share on: