CVE-2015-2204
HIGHEvergreen <2.5.9, 2.6.x<2.6.7, 2.7.x<2.7.4 - Sensitive Information Exposure
Title source: llmDescription
Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.
References (8)
Core 8
Core References
Issue Tracking, Release Notes x_refsource_confirm
http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
Issue Tracking, Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/03/04/3
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/72889
Various Sources x_refsource_confirm
http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
Issue Tracking, Release Notes x_refsource_confirm
http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
Issue Tracking, Release Notes x_refsource_confirm
http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
Issue Tracking, Patch, Release Notes x_refsource_confirm
http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://bugs.launchpad.net/evergreen/+bug/1424755
Scores
CVSS v3
7.5
EPSS
0.0317
EPSS Percentile
86.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
evergreen-ils/evergreen
< 2.5.9
Published
Feb 01, 2018
Tracked Since
Feb 18, 2026