CVE-2014-1615

Multiple cross-site request forgery (CSRF) vulnerabilities in Carbon Black before 4.1.0 allow remote attackers to hijack the authentication of administrators for requests that add new administrative users and have other unspecified action, as demonstrated by a request to api/user.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/57645	Vendor Advisory
http://www.secureworks.com/advisories/SWRX-2014-007/SWRX-2014-007.pdf	Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:carbonblack:carbon_black::beta2::::::*
	cpe:2.3:a:carbonblack:carbon_black:4.0.3:::::::*
	cpe:2.3:a:carbonblack:carbon_black:4.1.0:beta1::::::

History

No history.

Information

Published : 2014-04-22 14:23

Updated : 2024-02-04 18:35

NVD link : CVE-2014-1615

Mitre link : CVE-2014-1615

CVE.ORG link : CVE-2014-1615

JSON object : View

Products Affected

carbonblack

carbon_black

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2014-1615", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2014-04-22T14:23:35.283", "references": [{"url": "http://secunia.com/advisories/57645", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.secureworks.com/advisories/SWRX-2014-007/SWRX-2014-007.pdf", "tags": ["Exploit"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Carbon Black before 4.1.0 allow remote attackers to hijack the authentication of administrators for requests that add new administrative users and have other unspecified action, as demonstrated by a request to api/user."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de CSRF en Carbon Black anterior a 4.1.0 permiten a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para solicitudes que a\u00f1aden usuarios administrativos nuevos y tener otra acci\u00f3n no especificada, tal y como fue demostrado por una solicitud hacia api/user."}], "lastModified": "2014-04-23T12:36:53.820", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:carbonblack:carbon_black:*:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90E2E7E6-BA01-4C60-9E8D-B7B6B17C399B", "versionEndIncluding": "4.1.0"}, {"criteria": "cpe:2.3:a:carbonblack:carbon_black:4.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1673B83-5DCC-4C5E-BE19-0C1814A16EA2"}, {"criteria": "cpe:2.3:a:carbonblack:carbon_black:4.1.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A4F72AF-221D-40D4-805C-72A3D90445B5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}