CVE-2015-2913

{"id": "CVE-2015-2913", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2015-12-31T05:59:09.470", "references": [{"url": "https://github.com/orientechnologies/orientdb/commit/668ece96be210e742a4e2820a3085b215cf55104", "tags": ["Vendor Advisory"], "source": "cret@cert.org"}, {"url": "https://www.kb.cert.org/vuls/id/845332", "tags": ["Third Party Advisory", "US Government Resource"], "source": "cret@cert.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "server/network/protocol/http/OHttpSessionManager.java in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 improperly relies on the java.util.Random class for generation of random Session ID values, which makes it easier for remote attackers to predict a value by determining the internal state of the PRNG in this class."}, {"lang": "es", "value": "server/network/protocol/http/OHttpSessionManager.java en el componente Studio en OrientDB Server Community Edition en versiones anteriores a 2.0.15 y 2.1.x en versiones anteriores a 2.1.1 conf\u00eda indebidamente en la clase java.util.Random para la generaci\u00f3n de valores de Session ID aleatorios, lo que hace m\u00e1s f\u00e1cil a atacantes remotos predecir un valor determinando el estado interno de PRNG en esta clase."}], "lastModified": "2015-12-31T20:40:02.470", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:orientdb:orientdb:2.0.14:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "6D3EEB60-F819-4F15-962C-06DDA45896E9"}, {"criteria": "cpe:2.3:a:orientdb:orientdb:2.1.0:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "C913E0D2-2E28-4BB6-957C-9832193C3FB4"}], "operator": "OR"}]}], "sourceIdentifier": "cret@cert.org"}