CVE-2014-2983

Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://drupal.org/SA-CORE-2014-002	Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2014/04/22/2	Mailing List Third Party Advisory
http://www.debian.org/security/2014/dsa-2914	Third Party Advisory
http://www.debian.org/security/2014/dsa-2913	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:6.0:::::::*
	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*

Information

Published : 2014-04-23 08:55

Updated : 2021-04-20 05:50

NVD link : CVE-2014-2983

Mitre link : CVE-2014-2983

JSON object : View

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

Products Affected

debian

debian_linux

drupal

drupal

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://drupal.org/SA-CORE-2014-002", "name": "https://drupal.org/SA-CORE-2014-002", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.openwall.com/lists/oss-security/2014/04/22/2", "name": "[oss-security] 20140421 Re: CVE Request for Drupal Core", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "http://www.debian.org/security/2014/dsa-2914", "name": "DSA-2914", "tags": ["Third Party Advisory"], "refsource": "DEBIAN"}, {"url": "http://www.debian.org/security/2014/dsa-2913", "name": "DSA-2913", "tags": ["Third Party Advisory"], "refsource": "DEBIAN"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-200"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-2983", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2014-04-23T15:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "6.31", "versionStartIncluding": "6.0"}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.27", "versionStartIncluding": "7.0"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-04-20T12:50Z"}

5.0 /10