Vulnerability Details CVE-2015-2204
Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 69.1%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
- http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
- http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
- http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
- http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
- http://www.openwall.com/lists/oss-security/2015/03/04/3
- http://www.securityfocus.com/bid/72889
- https://bugs.launchpad.net/evergreen/+bug/1424755
- http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
- http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
- http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
- http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
- http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
- http://www.openwall.com/lists/oss-security/2015/03/04/3
- http://www.securityfocus.com/bid/72889
- https://bugs.launchpad.net/evergreen/+bug/1424755
Products affected by CVE-2015-2204
-
cpe:2.3:a:evergreen-ils:evergreen:2.5.7
-
cpe:2.3:a:evergreen-ils:evergreen:2.5.8
-
cpe:2.3:a:evergreen-ils:evergreen:2.6.0
-
cpe:2.3:a:evergreen-ils:evergreen:2.6.4
-
cpe:2.3:a:evergreen-ils:evergreen:2.6.5
-
cpe:2.3:a:evergreen-ils:evergreen:2.6.6
-
cpe:2.3:a:evergreen-ils:evergreen:2.7.0
-
cpe:2.3:a:evergreen-ils:evergreen:2.7.3