Overview
- Description
- Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.
- Source
- cve@mitre.org
- NVD status
- Modified
Risk scores
CVSS 3.0
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
CVSS 2.0
- Type
- Primary
- Base score
- 5
- Impact score
- 2.9
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:N/A:N
Weaknesses
- nvd@nist.gov
- CWE-200
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9C011F2C-C3E1-45E5-B0EC-9062E9BC4D49",
"versionEndExcluding": "2.5.9"
},
{
"criteria": "cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3FF50689-92F5-49E6-9F28-D3D4EE097BC7",
"versionEndExcluding": "2.6.7",
"versionStartIncluding": "2.6.0"
},
{
"criteria": "cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E6DCEDFF-4A88-4931-B550-E3E0E3E58C99",
"versionEndExcluding": "2.7.4",
"versionStartIncluding": "2.7.0"
}
],
"operator": "OR"
}
]
}
]