CVE-2015-5246

The LDAP Authentication functionality in Foreman might allow remote attackers with knowledge of old passwords to gain access via vectors involving the password lifetime period in Active Directory.

CVSS v3 8.1 HIGH
CVSS v2.0 6.8 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://projects.theforeman.org/issues/11471	Issue Tracking Patch Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1258700	Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:theforeman:foreman:1.9.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-10-06 15:29

Updated : 2017-11-01 12:50

NVD link : CVE-2015-5246

Mitre link : CVE-2015-5246

CVE.ORG link : CVE-2015-5246

JSON object : View

Products Affected

theforeman

foreman

CWE

CWE-254

7PK - Security Features

{"id": "CVE-2015-5246", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2017-10-06T15:29:00.437", "references": [{"url": "http://projects.theforeman.org/issues/11471", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1258700", "tags": ["Issue Tracking"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-254"}]}], "descriptions": [{"lang": "en", "value": "The LDAP Authentication functionality in Foreman might allow remote attackers with knowledge of old passwords to gain access via vectors involving the password lifetime period in Active Directory."}, {"lang": "es", "value": "La funcionalidad de autenticaci\u00f3n LDAP en Foreman podr\u00eda permitir que atacantes remotos que conozcan las contrase\u00f1as anteriores obtengan acceso mediante vectores relacionados con el periodo de vida activa de contrase\u00f1as en Active Directory."}], "lastModified": "2017-11-01T12:50:16.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:theforeman:foreman:1.9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1825F24-09E5-4AC4-845B-C9D113372B05"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}