Date: Tue, 3 Mar 2015 21:00:53 -0500 From: Galen Charlton <gmc@...library.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE request - Evergreen Hi, On Tue, Mar 3, 2015 at 8:08 PM, <cve-assign@...re.org> wrote: >> Both bugs had permitted remote unauthenticated access of confidential >> application configuration settings. > > but https://bugs.launchpad.net/evergreen/+bug/1206589 says: > >> Any user who can authenticate to Evergreen and make the proper >> open-ils.pcrud calls can view the history of any setting ... once >> anonymous pcrud goes in, no login would be required either. > > Was there a released version of Evergreen in which an unauthenticated > attacker could view a setting's history by exploiting this bug? Yes, there was -- the comment in the bug report does not take into account the fact that the open-ils.pcrud endpoint supports anonymous, unauthenticated retrieval of database objects under pcrud's purview if a user permission for retrieval is not explicitly specified in fm_IDL.xml. > - in version 2.7.3, there is a major vulnerability in which a > setting's history can be viewed by any authenticated user, > including users with the "patron" role Almost -- per my response above, unauthenticated users could also gain access to a setting's history as, prior to the patch, anonymous retrieval was possible via open-ils.pcrud. > - in version 2.7.4, there is a minor vulnerability in which a > setting's history can be viewed by all persons with the staff role, > which would include unauthorized staff in many realistic > deployments. This might be fixed in a future release by forcing all > access to use cstore, or by some other undetermined change. > ? Correct, and I agree with the implication that bug 1206589 would therefore warrant two CVE numbers. Regards, Galen -- Galen Charlton Infrastructure and Added Services Manager Equinox Software, Inc. / The Open Source Experts email: gmc@...library.com direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ