CVE-2015-9287 - OpenCVE

Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field ("kid") of the IdP's HTTP response message ("WLS-Response") can be manipulated by an attacker. The "kid" field is not signed like the rest of the message, and manipulation is therefore trivial. The "kid" field should only ever represent an integer. However, it is possible to provide any string value. An attacker could use this to their advantage to force the application agent to load the RSA public key required for message integrity checking from an unintended location.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Cam	The University Of Cambridge Web Authentication System Apache Authentication Agent

Configuration 1 [-]

cpe:2.3:a:cam:the_university_of_cambridge_web_authentication_system_apache_authentication_agent:*:*:*:*:*:*:*:*

References

Link	Resource
https://doi.org/10.1007/978-3-030-03251-7_1	Permissions Required Third Party Advisory
https://github.com/grymer/CVE	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-05-13T15:44:06

Updated: 2019-05-13T15:44:06

Reserved: 2019-05-01T00:00:00

Link: CVE-2015-9287

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-05-13T16:29:00.350

Modified: 2019-05-20T13:25:51.723

Link: CVE-2015-9287

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-05-01T00:00:00", "descriptions": [{"lang": "en", "value": "Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field (\"kid\") of the IdP's HTTP response message (\"WLS-Response\") can be manipulated by an attacker. The \"kid\" field is not signed like the rest of the message, and manipulation is therefore trivial. The \"kid\" field should only ever represent an integer. However, it is possible to provide any string value. An attacker could use this to their advantage to force the application agent to load the RSA public key required for message integrity checking from an unintended location."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-13T15:44:06", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://doi.org/10.1007/978-3-030-03251-7_1"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/grymer/CVE"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-9287", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field (\"kid\") of the IdP's HTTP response message (\"WLS-Response\") can be manipulated by an attacker. The \"kid\" field is not signed like the rest of the message, and manipulation is therefore trivial. The \"kid\" field should only ever represent an integer. However, it is possible to provide any string value. An attacker could use this to their advantage to force the application agent to load the RSA public key required for message integrity checking from an unintended location."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://doi.org/10.1007/978-3-030-03251-7_1", "refsource": "MISC", "url": "https://doi.org/10.1007/978-3-030-03251-7_1"}, {"name": "https://github.com/grymer/CVE", "refsource": "MISC", "url": "https://github.com/grymer/CVE"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-9287", "datePublished": "2019-05-13T15:44:06", "dateReserved": "2019-05-01T00:00:00", "dateUpdated": "2019-05-13T15:44:06", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cam:the_university_of_cambridge_web_authentication_system_apache_authentication_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6D52381-2AFB-4AD5-B7D9-F4AA10F60C50", "versionEndExcluding": "2.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field (\"kid\") of the IdP's HTTP response message (\"WLS-Response\") can be manipulated by an attacker. The \"kid\" field is not signed like the rest of the message, and manipulation is therefore trivial. The \"kid\" field should only ever represent an integer. However, it is possible to provide any string value. An attacker could use this to their advantage to force the application agent to load the RSA public key required for message integrity checking from an unintended location."}, {"lang": "es", "value": "Fue encontrada una vulnerabilidad de Salto de Directorio (Directory Traversal) en University of Cambridge mod_ucam_webauth before 2.0.2. Un atacante puede manipular el campo de identificaci\u00f3n de clave (\"Kid\") del mensaje de respuesta HTTP del IdP (\"WLS-Response\"). El campo \"Kid\" no est\u00e1 firmado como el resto del mensaje y, por lo tanto, la manipulaci\u00f3n es trivial. El campo \"Kid\" solo debe representar un n\u00famero entero. Sin embargo, es posible suministrar cualquier valor de cadena. Un atacante podr\u00eda usar esto para su ventaja para forzar al agente de la aplicaci\u00f3n a cargar la clave p\u00fablica RSA requerida para verificar la integridad del mensaje desde una ubicaci\u00f3n no deseada."}], "id": "CVE-2015-9287", "lastModified": "2019-05-20T13:25:51.723", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-13T16:29:00.350", "references": [{"source": "cve@mitre.org", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://doi.org/10.1007/978-3-030-03251-7_1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/grymer/CVE"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}