CVE-2015-3201

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2015-3201
Thermostat before 2.0.0 uses world-readable permissions for the web.xml configuration file, which allows local users to obtain user credentials by reading the file.

2.1 /10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References
Link Resource
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2372 Exploit
http://icedtea.classpath.org/hg/thermostat/rev/c2f18f81f57a
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159788.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159958.html
http://rhn.redhat.com/errata/RHSA-2015-1052.html Vendor Advisory
http://www.securityfocus.com/bid/75066
Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:thermostat:*:*:*:*:*:*:*:*
History

13 Feb 2023, 00:47

Type Values Removed Values Added
Summary It was discovered that the Thermostat web application stored database authentication credentials in a world-readable configuration file. A local user on a system running the Thermostat web application could use this flaw to access and modify monitored JVM data, or perform actions on connected JVMs. Thermostat before 2.0.0 uses world-readable permissions for the web.xml configuration file, which allows local users to obtain user credentials by reading the file.
References
  • {'url': 'https://access.redhat.com/errata/RHSA-2015:1052', 'name': 'https://access.redhat.com/errata/RHSA-2015:1052', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=1221989', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=1221989', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/security/cve/CVE-2015-3201', 'name': 'https://access.redhat.com/security/cve/CVE-2015-3201', 'tags': [], 'refsource': 'MISC'}

02 Feb 2023, 16:16

Type Values Removed Values Added
Summary Thermostat before 2.0.0 uses world-readable permissions for the web.xml configuration file, which allows local users to obtain user credentials by reading the file. It was discovered that the Thermostat web application stored database authentication credentials in a world-readable configuration file. A local user on a system running the Thermostat web application could use this flaw to access and modify monitored JVM data, or perform actions on connected JVMs.
References
  • (MISC) https://access.redhat.com/errata/RHSA-2015:1052 -
  • (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1221989 -
  • (MISC) https://access.redhat.com/security/cve/CVE-2015-3201 -
Information

Published : 2015-06-08 14:59

Updated : 2023-12-10 11:46

NVD link : CVE-2015-3201

Mitre link : CVE-2015-3201

CVE.ORG link : CVE-2015-3201

JSON object : View

Products Affected

redhat

  • thermostat
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor