Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.
References
Link | Resource |
---|---|
http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9 | Issue Tracking Release Notes |
http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7 | Issue Tracking Release Notes |
http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4 | Issue Tracking Release Notes |
http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/ | Issue Tracking Patch Release Notes |
http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307 | |
http://www.openwall.com/lists/oss-security/2015/03/04/3 | Mailing List Issue Tracking Third Party Advisory |
http://www.securityfocus.com/bid/72889 | Third Party Advisory VDB Entry |
https://bugs.launchpad.net/evergreen/+bug/1424755 | Issue Tracking Vendor Advisory Patch |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2018-02-01 17:29
Updated : 2024-02-04 19:46
NVD link : CVE-2015-2204
Mitre link : CVE-2015-2204
CVE.ORG link : CVE-2015-2204
JSON object : View
Products Affected
evergreen-ils
- evergreen
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor