CVE-2015-9287

Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field ("kid") of the IdP's HTTP response message ("WLS-Response") can be manipulated by an attacker. The "kid" field is not signed like the rest of the message, and manipulation is therefore trivial. The "kid" field should only ever represent an integer. However, it is possible to provide any string value. An attacker could use this to their advantage to force the application agent to load the RSA public key required for message integrity checking from an unintended location.

CVSS v3 9.8 CRITICAL
CVSS v2.0 5.0 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://doi.org/10.1007/978-3-030-03251-7_1	Permissions Required Third Party Advisory
https://github.com/grymer/CVE	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cam:the_university_of_cambridge_web_authentication_system_apache_authentication_agent:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-05-13 16:29

Updated : 2023-12-10 12:59

NVD link : CVE-2015-9287

Mitre link : CVE-2015-9287

CVE.ORG link : CVE-2015-9287

JSON object : View

Products Affected

cam

the_university_of_cambridge_web_authentication_system_apache_authentication_agent

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2015-9287", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-05-13T16:29:00.350", "references": [{"url": "https://doi.org/10.1007/978-3-030-03251-7_1", "tags": ["Permissions Required", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/grymer/CVE", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field (\"kid\") of the IdP's HTTP response message (\"WLS-Response\") can be manipulated by an attacker. The \"kid\" field is not signed like the rest of the message, and manipulation is therefore trivial. The \"kid\" field should only ever represent an integer. However, it is possible to provide any string value. An attacker could use this to their advantage to force the application agent to load the RSA public key required for message integrity checking from an unintended location."}, {"lang": "es", "value": "Fue encontrada una vulnerabilidad de Salto de Directorio (Directory Traversal) en University of Cambridge mod_ucam_webauth before 2.0.2. Un atacante puede manipular el campo de identificaci\u00f3n de clave (\"Kid\") del mensaje de respuesta HTTP del IdP (\"WLS-Response\"). El campo \"Kid\" no est\u00e1 firmado como el resto del mensaje y, por lo tanto, la manipulaci\u00f3n es trivial. El campo \"Kid\" solo debe representar un n\u00famero entero. Sin embargo, es posible suministrar cualquier valor de cadena. Un atacante podr\u00eda usar esto para su ventaja para forzar al agente de la aplicaci\u00f3n a cargar la clave p\u00fablica RSA requerida para verificar la integridad del mensaje desde una ubicaci\u00f3n no deseada."}], "lastModified": "2019-05-20T13:25:51.723", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cam:the_university_of_cambridge_web_authentication_system_apache_authentication_agent:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6D52381-2AFB-4AD5-B7D9-F4AA10F60C50", "versionEndExcluding": "2.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}