CVE-2009-3921

The Smartqueue_og module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-rc3, a module for Drupal, does not verify group-node privileges in certain circumstances involving subqueue creation, which allows remote authenticated users to discover arbitrary organic group names by reading confirmation messages.

CVSS v2.0 4.0 MEDIUM

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://drupal.org/node/617496	Patch Vendor Advisory
http://drupal.org/node/617500	Patch Vendor Advisory
http://drupal.org/node/623554	Patch Vendor Advisory
http://osvdb.org/59675
http://secunia.com/advisories/37288	Vendor Advisory
http://www.securityfocus.com/bid/36925	Patch

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

OR	cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:5.x-1.0:::::::*
	cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:5.x-1.1:::::::*
	cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:5.x-1.2:::::::*
	cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:5.x-1.x-dev:::::::*
	cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:6.x-1.0:rc1::::::
	cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:6.x-1.0:rc2::::::
	cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:6.x-1.x-dev:::::::*

History

No history.

Information

Published : 2009-11-09 17:30

Updated : 2024-02-04 17:33

NVD link : CVE-2009-3921

Mitre link : CVE-2009-3921

CVE.ORG link : CVE-2009-3921

JSON object : View

Products Affected

ezra_barnett_gildesgame

smartqueue_og

drupal

drupal

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2009-3921", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-11-09T17:30:00.953", "references": [{"url": "http://drupal.org/node/617496", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://drupal.org/node/617500", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://drupal.org/node/623554", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://osvdb.org/59675", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/37288", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/36925", "tags": ["Patch"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The Smartqueue_og module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-rc3, a module for Drupal, does not verify group-node privileges in certain circumstances involving subqueue creation, which allows remote authenticated users to discover arbitrary organic group names by reading confirmation messages."}, {"lang": "es", "value": "El m\u00f3dulo Smartqueue_og v5.x anteriores a v5.x-1.3 y v6.x anteriores a6.x-1.0-rc3, m\u00f3dulo para Drupal, en ciertas circunstancias no verifica los privilegios del nodo de grupo, implicando la creaci\u00f3n de una sub-cola que permite a usuarios remotos autenticados, descubrir nombres de grupo org\u00e1nicos de su elecci\u00f3n leyendo los mensajes de confirmaci\u00f3n."}], "lastModified": "2009-11-10T05:00:00.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "799CA80B-F3FA-4183-A791-2071A7DA1E54"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:5.x-1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BC40212-935B-4742-B5F4-0128D4D5691D"}, {"criteria": "cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:5.x-1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0FBC957C-6687-4D78-A3FB-98F3D3DC4CE2"}, {"criteria": "cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:5.x-1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3C40725-FEF7-4E96-A6B7-FB496070AD63"}, {"criteria": "cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:5.x-1.x-dev:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF93D1D4-2E97-4773-849F-1F0D89BA83E9"}, {"criteria": "cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:6.x-1.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF19A274-1AE2-44B9-839B-3EF84DB235F2"}, {"criteria": "cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:6.x-1.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1F30C62A-DC66-4498-8572-9608D5C137B5"}, {"criteria": "cpe:2.3:a:ezra_barnett_gildesgame:smartqueue_og:6.x-1.x-dev:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5FD0B6B4-7B13-4E7B-B371-13004653FFF1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}