CVE-2015-2204

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://bugs.launchpad.net/evergreen/+bug/1424755", "name": "https://bugs.launchpad.net/evergreen/+bug/1424755", "tags": ["Issue Tracking", "Vendor Advisory", "Patch"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/72889", "name": "72889", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "http://www.openwall.com/lists/oss-security/2015/03/04/3", "name": "[oss-security] 20150303 Re: CVE request - Evergreen", "tags": ["Mailing List", "Issue Tracking", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=3a0f1cc7b2efa517ee4cd4c6a682237554fed307", "name": "http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=3a0f1cc7b2efa517ee4cd4c6a682237554fed307", "tags": ["Issue Tracking", "Patch"], "refsource": "CONFIRM"}, {"url": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/", "name": "http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/", "tags": ["Issue Tracking", "Patch", "Release Notes"], "refsource": "CONFIRM"}, {"url": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4", "name": "http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4", "tags": ["Issue Tracking", "Release Notes"], "refsource": "CONFIRM"}, {"url": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7", "name": "http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7", "tags": ["Issue Tracking", "Release Notes"], "refsource": "CONFIRM"}, {"url": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9", "name": "http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9", "tags": ["Issue Tracking", "Release Notes"], "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-200"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2015-2204", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}}, "publishedDate": "2018-02-01T17:29Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.7.4", "versionStartIncluding": "2.7.0"}, {"cpe23Uri": "cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.6.7", "versionStartIncluding": "2.6.0"}, {"cpe23Uri": "cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.5.9"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-02-15T13:21Z"}