oss-sec mailing list archives
Re: CVE request - Evergreen
From: cve-assign () mitre org
Date: Tue, 3 Mar 2015 20:08:28 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
We have these initial questions, in part to determine whether there should be a total of two CVE IDs or three CVE IDs. http://openwall.com/lists/oss-security/2015/03/03/11 says:
Both bugs had permitted remote unauthenticated access of confidential application configuration settings.
but https://bugs.launchpad.net/evergreen/+bug/1206589 says:
Any user who can authenticate to Evergreen and make the proper open-ils.pcrud calls can view the history of any setting ... once anonymous pcrud goes in, no login would be required either.
Was there a released version of Evergreen in which an unauthenticated attacker could view a setting's history by exploiting this bug? https://bugs.launchpad.net/evergreen/+bug/1206589 also says:
An immediate fix for this would be to add a permission, just about any permission that a patron would not have ... The collab/dyrcona/lp1206589-quick-fix branch in the security repo adds a retrieve permission of STAFF_LOGIN ... That leaves us pretty much where the initial bug reports assumes we were with settings exposed only to unauthorized staff ... Since I have suggested removing the open-ils.pcrud controller, leaving cstore as the only mode of access to these settings, new API calls would need to be added to search and retrieve the settings history.
and http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=ac588e879cf73ff1b65617e0bd273361d3529063 says:
Temporary Fix for Org. Unit Settings History Bug
1. It adds a retrieve permission of STAFF_LOGIN. This at least requires someone with staff permission to be able to view settings history.
Does this mean that: - in version 2.7.3, there is a major vulnerability in which a setting's history can be viewed by any authenticated user, including users with the "patron" role - in version 2.7.4, there is a minor vulnerability in which a setting's history can be viewed by all persons with the staff role, which would include unauthorized staff in many realistic deployments. This might be fixed in a future release by forcing all access to use cstore, or by some other undetermined change. ?
https://bugs.launchpad.net/evergreen/+bug/1424755
This seems to be a much simpler case that was completely fixed by http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=3a0f1cc7b2efa517ee4cd4c6a682237554fed307 and had allowed unauthenticated access. It will have only one CVE ID. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU9lpzAAoJEKllVAevmvmsbdQH/22bw/68/mpyxJ6cOvlw7e1M QSfNIO+feS9aS9c7k7y2g6yV0KEC7b261gSLQlJFpPVYq7sBh/Y9jLcQhINOWb1j 8m5DP8lqHF4iiCXxxxwJsG5MM2AxvKnk0KXcfGu8qnd6OOmuO4xC+hM5P3XdpRFQ RJeQU8lSDYHD3yb9D+lfvybr/2ceUVAVTuJCeCLDBj0yr7Gvn3+R0as/mqTt6jyU EQqciiLFntiucwSOAFQDD0rA0/9JP+ORDC47BcIyDgi0Xca/T+36NbeIsskMXEjO liBCap+fLIuFWQ0dx5zS+9YQjYwaWyTeaXOFTfjhPUVkgao2CF5aoRSL0qL1zIg= =3sHe -----END PGP SIGNATURE-----
Current thread:
- Re: CVE Request cve-assign (Jan 03)
- <Possible follow-ups>
- CVE request Daniel Strøm (Jan 08)
- Re: CVE request cve-assign (Jan 11)
- Re: CVE request Daniel Strøm (Jan 11)
- Re: CVE request cve-assign (Jan 11)
- CVE request Galen Charlton (Mar 03)
- Re: CVE request - Evergreen cve-assign (Mar 03)
- Re: CVE request - Evergreen Galen Charlton (Mar 03)
- Re: CVE request - Evergreen cve-assign (Mar 03)
- Re: CVE request - Evergreen cve-assign (Mar 03)