CVE-2015-2204
N/A
N/A
Summary
Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
- http://www.openwall.com/lists/oss-security/2015/03/04/3
- http://www.securityfocus.com/bid/72889
- http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
- http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
- http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
- http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
- https://bugs.launchpad.net/evergreen/+bug/1424755
References
- http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
- http://www.openwall.com/lists/oss-security/2015/03/04/3
- http://www.securityfocus.com/bid/72889
- http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
- http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
- http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
- http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
- https://bugs.launchpad.net/evergreen/+bug/1424755
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.