CVE-2015-2204

Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.

Published: Feb 1, 2018
Updated: Apr 13, 2023
CVE: CVE-2015-2204
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
evergreen-ils / evergreen	2.7.0	2.7.4
evergreen-ils / evergreen	2.6.0	2.6.7
evergreen-ils / evergreen	-	2.5.9

http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
http://www.openwall.com/lists/oss-security/2015/03/04/3
http://www.securityfocus.com/bid/72889
https://bugs.launchpad.net/evergreen/+bug/1424755

Vulnerability Database

289,689

CVE-2015-2204