Описание
Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.
Ссылки
- Issue TrackingRelease Notes
- Issue TrackingRelease Notes
- Issue TrackingRelease Notes
- Issue TrackingPatchRelease Notes
- Issue TrackingMailing ListThird Party Advisory
- Third Party AdvisoryVDB Entry
- Issue TrackingPatchVendor Advisory
- Issue TrackingRelease Notes
- Issue TrackingRelease Notes
- Issue TrackingRelease Notes
- Issue TrackingPatchRelease Notes
- Issue TrackingMailing ListThird Party Advisory
- Third Party AdvisoryVDB Entry
- Issue TrackingPatchVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.5.9 (исключая)Версия от 2.6.0 (включая) до 2.6.7 (исключая)Версия от 2.7.0 (включая) до 2.7.4 (исключая)
Одно из
cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*
cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*
cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*
EPSS
Процентиль: 68%
0.00583
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-200
Связанные уязвимости
CVSS3: 7.5
github
больше 3 лет назад
Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.
EPSS
Процентиль: 68%
0.00583
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-200