CVE-2015-3404

The Certify module before 6.x-2.3 for Drupal does not properly perform node access checks, which allows remote authenticated users to bypass intended access restrictions and obtain sensitive PDF certificate information via vectors related to "showing (and creating) the PDF certificates."

CVSS v2.0 4.0 MEDIUM

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.openwall.com/lists/oss-security/2015/01/29/6
http://www.openwall.com/lists/oss-security/2015/04/21/8
http://www.securityfocus.com/bid/74282
https://www.drupal.org/node/2407081	Patch
https://www.drupal.org/node/2415947	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:certify_project:certify:6.x-2.2:*:*:*:*:drupal:*:*

History

No history.

Information

Published : 2015-04-22 22:59

Updated : 2024-02-04 18:35

NVD link : CVE-2015-3404

Mitre link : CVE-2015-3404

CVE.ORG link : CVE-2015-3404

JSON object : View

Products Affected

certify_project

certify

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2015-3404", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-04-22T22:59:00.063", "references": [{"url": "http://www.openwall.com/lists/oss-security/2015/01/29/6", "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2015/04/21/8", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/74282", "source": "cve@mitre.org"}, {"url": "https://www.drupal.org/node/2407081", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://www.drupal.org/node/2415947", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "The Certify module before 6.x-2.3 for Drupal does not properly perform node access checks, which allows remote authenticated users to bypass intended access restrictions and obtain sensitive PDF certificate information via vectors related to \"showing (and creating) the PDF certificates.\""}, {"lang": "es", "value": "El m\u00f3dulo Certify anterior a 6.x-2.3 para Drupal no realiza correctamente las comprobaciones de acceso a nodos, lo que permite a usuarios remotos autenticados evadir las restricciones de acceso y obtener informaci\u00f3n sensible de certificados PDF a gtrav\u00e9s de vectores relacionados con 'mostrar (y crear) los certificados PDF.'"}], "lastModified": "2016-12-06T03:00:52.457", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:certify_project:certify:6.x-2.2:*:*:*:*:drupal:*:*", "vulnerable": true, "matchCriteriaId": "D56266D9-9260-4967-BDB5-A6DCB9179BF7"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}