Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Mar 2015 21:00:53 -0500
From: Galen Charlton <gmc@...library.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request - Evergreen

Hi,

On Tue, Mar 3, 2015 at 8:08 PM,  <cve-assign@...re.org> wrote:
>> Both bugs had permitted remote unauthenticated access of confidential
>> application configuration settings.
>
> but https://bugs.launchpad.net/evergreen/+bug/1206589 says:
>
>> Any user who can authenticate to Evergreen and make the proper
>> open-ils.pcrud calls can view the history of any setting ... once
>> anonymous pcrud goes in, no login would be required either.
>
> Was there a released version of Evergreen in which an unauthenticated
> attacker could view a setting's history by exploiting this bug?

Yes, there was -- the comment in the bug report does not take into
account the fact that the open-ils.pcrud endpoint supports anonymous,
unauthenticated retrieval of database objects under pcrud's purview if
a user permission for retrieval is not explicitly specified in
fm_IDL.xml.

>  - in version 2.7.3, there is a major vulnerability in which a
>    setting's history can be viewed by any authenticated user,
>    including users with the "patron" role

Almost -- per my response above, unauthenticated users could also gain
access to a setting's history as, prior to the patch, anonymous
retrieval was possible via open-ils.pcrud.

>  - in version 2.7.4, there is a minor vulnerability in which a
>    setting's history can be viewed by all persons with the staff role,
>    which would include unauthorized staff in many realistic
>    deployments. This might be fixed in a future release by forcing all
>    access to use cstore, or by some other undetermined change.
> ?

Correct, and I agree with the implication that bug 1206589 would
therefore warrant two CVE numbers.

Regards,

Galen
-- 
Galen Charlton
Infrastructure and Added Services Manager
Equinox Software, Inc. / The Open Source Experts
email:  gmc@...library.com
direct: +1 770-709-5581
cell:   +1 404-984-4366
skype:  gmcharlt
web:    http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &
http://evergreen-ils.org

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ