oss-sec mailing list archives
Re: CVE request - Evergreen
From: Galen Charlton <gmc () esilibrary com>
Date: Tue, 3 Mar 2015 21:00:53 -0500
Hi, On Tue, Mar 3, 2015 at 8:08 PM, <cve-assign () mitre org> wrote:
Both bugs had permitted remote unauthenticated access of confidential application configuration settings.but https://bugs.launchpad.net/evergreen/+bug/1206589 says:Any user who can authenticate to Evergreen and make the proper open-ils.pcrud calls can view the history of any setting ... once anonymous pcrud goes in, no login would be required either.Was there a released version of Evergreen in which an unauthenticated attacker could view a setting's history by exploiting this bug?
Yes, there was -- the comment in the bug report does not take into account the fact that the open-ils.pcrud endpoint supports anonymous, unauthenticated retrieval of database objects under pcrud's purview if a user permission for retrieval is not explicitly specified in fm_IDL.xml.
- in version 2.7.3, there is a major vulnerability in which a setting's history can be viewed by any authenticated user, including users with the "patron" role
Almost -- per my response above, unauthenticated users could also gain access to a setting's history as, prior to the patch, anonymous retrieval was possible via open-ils.pcrud.
- in version 2.7.4, there is a minor vulnerability in which a setting's history can be viewed by all persons with the staff role, which would include unauthorized staff in many realistic deployments. This might be fixed in a future release by forcing all access to use cstore, or by some other undetermined change. ?
Correct, and I agree with the implication that bug 1206589 would therefore warrant two CVE numbers. Regards, Galen -- Galen Charlton Infrastructure and Added Services Manager Equinox Software, Inc. / The Open Source Experts email: gmc () esilibrary com direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org
Current thread:
- Re: CVE Request cve-assign (Jan 03)
- <Possible follow-ups>
- CVE request Daniel Strøm (Jan 08)
- Re: CVE request cve-assign (Jan 11)
- Re: CVE request Daniel Strøm (Jan 11)
- Re: CVE request cve-assign (Jan 11)
- CVE request Galen Charlton (Mar 03)
- Re: CVE request - Evergreen cve-assign (Mar 03)
- Re: CVE request - Evergreen Galen Charlton (Mar 03)
- Re: CVE request - Evergreen cve-assign (Mar 03)
- Re: CVE request - Evergreen cve-assign (Mar 03)