CVE-2015-5490

The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebuild the full cache if the static cache is not empty, which allows remote attackers to bypass intended filters and obtain access to hidden content via unspecified vectors.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.drupal.org/node/2475669	Exploit
https://www.drupal.org/node/2480327	Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2015/07/04/4
https://www.drupal.org/node/2480259	Patch
http://cgit.drupalcode.org/views/commit/?id=cef693b
http://www.securityfocus.com/bid/74462

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:views_project:views:7.x-3.8:::::drupal::
	cpe:2.3:a:views_project:views:7.x-3.10:::::drupal::
	cpe:2.3:a:views_project:views:7.x-3.5:::::drupal::
	cpe:2.3:a:views_project:views:7.x-3.6:::::drupal::
	cpe:2.3:a:views_project:views:7.x-3.7:::::drupal::

Information

Published : 2015-08-18 10:59

Updated : 2016-11-28 11:33

NVD link : CVE-2015-5490

Mitre link : CVE-2015-5490

JSON object : View

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

Advertisement

Products Affected

views_project

views

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://www.drupal.org/node/2475669", "name": "https://www.drupal.org/node/2475669", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "https://www.drupal.org/node/2480327", "name": "https://www.drupal.org/node/2480327", "tags": ["Patch", "Vendor Advisory"], "refsource": "MISC"}, {"url": "http://www.openwall.com/lists/oss-security/2015/07/04/4", "name": "[oss-security] 20150704 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131)", "tags": [], "refsource": "MLIST"}, {"url": "https://www.drupal.org/node/2480259", "name": "https://www.drupal.org/node/2480259", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "http://cgit.drupalcode.org/views/commit/?id=cef693b", "name": "http://cgit.drupalcode.org/views/commit/?id=cef693b", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/74462", "name": "74462", "tags": [], "refsource": "BID"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebuild the full cache if the static cache is not empty, which allows remote attackers to bypass intended filters and obtain access to hidden content via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-200"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2015-5490", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": true, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2015-08-18T17:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:views_project:views:7.x-3.8:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:views_project:views:7.x-3.10:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:views_project:views:7.x-3.5:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:views_project:views:7.x-3.6:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:views_project:views:7.x-3.7:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2016-11-28T19:33Z"}