CVE-2015-8400 - OpenCVE

The HTTPS fallback implementation in Shell In A Box (aka shellinabox) before 2.19 makes it easier for remote attackers to conduct DNS rebinding attacks via the "/plain" URL.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Shellinabox Project	Shellinabox
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:o:fedoraproject:fedora:22:::::::*
	cpe:2.3:o:fedoraproject:fedora:23:::::::*

Configuration 2 [-]

cpe:2.3:a:shellinabox_project:shellinabox:*:*:*:*:*:*:*:*

References

Link	Resource
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175117.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175224.html
http://www.openwall.com/lists/oss-security/2015/12/02/6
http://www.openwall.com/lists/oss-security/2015/12/02/7
https://github.com/shellinabox/shellinabox/issues/355	Vendor Advisory
https://github.com/shellinabox/shellinabox/releases/tag/v2.19	Patch

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2016-01-12T19:00:00

Updated: 2016-01-12T18:57:02

Reserved: 2015-12-02T00:00:00

Link: CVE-2015-8400

JSON object: View

NVD Information

Status : Analyzed

Published: 2016-01-12T19:59:10.973

Modified: 2016-01-20T14:15:54.190

Link: CVE-2015-8400

JSON object: View

Redhat Information

No data.

CWE

CWE-254

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-12-02T00:00:00", "descriptions": [{"lang": "en", "value": "The HTTPS fallback implementation in Shell In A Box (aka shellinabox) before 2.19 makes it easier for remote attackers to conduct DNS rebinding attacks via the \"/plain\" URL."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-01-12T18:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shellinabox/shellinabox/releases/tag/v2.19"}, {"name": "FEDORA-2015-463143720f", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175224.html"}, {"name": "[oss-security] 20151202 Re: shellinabox - DNS rebinding attack due to HTTP fallback", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/12/02/7"}, {"name": "FEDORA-2015-1c773e8702", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175117.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shellinabox/shellinabox/issues/355"}, {"name": "[oss-security] 20151202 shellinabox - DNS rebinding attack due to HTTP fallback", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/12/02/6"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-8400", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The HTTPS fallback implementation in Shell In A Box (aka shellinabox) before 2.19 makes it easier for remote attackers to conduct DNS rebinding attacks via the \"/plain\" URL."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/shellinabox/shellinabox/releases/tag/v2.19", "refsource": "CONFIRM", "url": "https://github.com/shellinabox/shellinabox/releases/tag/v2.19"}, {"name": "FEDORA-2015-463143720f", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175224.html"}, {"name": "[oss-security] 20151202 Re: shellinabox - DNS rebinding attack due to HTTP fallback", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/12/02/7"}, {"name": "FEDORA-2015-1c773e8702", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175117.html"}, {"name": "https://github.com/shellinabox/shellinabox/issues/355", "refsource": "CONFIRM", "url": "https://github.com/shellinabox/shellinabox/issues/355"}, {"name": "[oss-security] 20151202 shellinabox - DNS rebinding attack due to HTTP fallback", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/12/02/6"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-8400", "datePublished": "2016-01-12T19:00:00", "dateReserved": "2015-12-02T00:00:00", "dateUpdated": "2016-01-12T18:57:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*", "matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*", "matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shellinabox_project:shellinabox:*:*:*:*:*:*:*:*", "matchCriteriaId": "0123E372-6429-4345-ACE0-3A8D2778258F", "versionEndIncluding": "2.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The HTTPS fallback implementation in Shell In A Box (aka shellinabox) before 2.19 makes it easier for remote attackers to conduct DNS rebinding attacks via the \"/plain\" URL."}, {"lang": "es", "value": "La implementaci\u00f3n de retorno de HTTPS en Shell In A Box (tambi\u00e9n conocido como shellinabox) en versiones anteriores a 2.19 hace que sea mas f\u00e1cil para atacantes remotos llevar a cabo ataques de revinculaci\u00f3n DNS a trav\u00e9s de la URL \"/plain\"."}], "id": "CVE-2015-8400", "lastModified": "2016-01-20T14:15:54.190", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-01-12T19:59:10.973", "references": [{"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175117.html"}, {"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175224.html"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/12/02/6"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/12/02/7"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/shellinabox/shellinabox/issues/355"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/shellinabox/shellinabox/releases/tag/v2.19"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-254"}], "source": "nvd@nist.gov", "type": "Primary"}]}