CVE-2015-9287 (GCVE-0-2015-9287)

Vulnerability from cvelistv5 – Published: 2019-05-13 15:44 – Updated: 2024-08-06 08:43
VLAI?
Summary
Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field ("kid") of the IdP's HTTP response message ("WLS-Response") can be manipulated by an attacker. The "kid" field is not signed like the rest of the message, and manipulation is therefore trivial. The "kid" field should only ever represent an integer. However, it is possible to provide any string value. An attacker could use this to their advantage to force the application agent to load the RSA public key required for message integrity checking from an unintended location.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Date Public ?
2019-05-01 00:00
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T08:43:42.666Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://doi.org/10.1007/978-3-030-03251-7_1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/grymer/CVE"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2019-05-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field (\"kid\") of the IdP\u0027s HTTP response message (\"WLS-Response\") can be manipulated by an attacker. The \"kid\" field is not signed like the rest of the message, and manipulation is therefore trivial. The \"kid\" field should only ever represent an integer. However, it is possible to provide any string value. An attacker could use this to their advantage to force the application agent to load the RSA public key required for message integrity checking from an unintended location."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-05-13T15:44:06.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://doi.org/10.1007/978-3-030-03251-7_1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/grymer/CVE"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-9287",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field (\"kid\") of the IdP\u0027s HTTP response message (\"WLS-Response\") can be manipulated by an attacker. The \"kid\" field is not signed like the rest of the message, and manipulation is therefore trivial. The \"kid\" field should only ever represent an integer. However, it is possible to provide any string value. An attacker could use this to their advantage to force the application agent to load the RSA public key required for message integrity checking from an unintended location."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://doi.org/10.1007/978-3-030-03251-7_1",
              "refsource": "MISC",
              "url": "https://doi.org/10.1007/978-3-030-03251-7_1"
            },
            {
              "name": "https://github.com/grymer/CVE",
              "refsource": "MISC",
              "url": "https://github.com/grymer/CVE"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-9287",
    "datePublished": "2019-05-13T15:44:06.000Z",
    "dateReserved": "2019-05-01T00:00:00.000Z",
    "dateUpdated": "2024-08-06T08:43:42.666Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2015-9287",
      "date": "2026-04-26",
      "epss": "0.00835",
      "percentile": "0.74701"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:cam:the_university_of_cambridge_web_authentication_system_apache_authentication_agent:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.0.2\", \"matchCriteriaId\": \"A6D52381-2AFB-4AD5-B7D9-F4AA10F60C50\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field (\\\"kid\\\") of the IdP\u0027s HTTP response message (\\\"WLS-Response\\\") can be manipulated by an attacker. The \\\"kid\\\" field is not signed like the rest of the message, and manipulation is therefore trivial. The \\\"kid\\\" field should only ever represent an integer. However, it is possible to provide any string value. An attacker could use this to their advantage to force the application agent to load the RSA public key required for message integrity checking from an unintended location.\"}, {\"lang\": \"es\", \"value\": \"Fue encontrada una vulnerabilidad de Salto de Directorio (Directory Traversal) en University of Cambridge mod_ucam_webauth before 2.0.2. Un atacante puede manipular el campo de identificaci\\u00f3n de clave (\\\"Kid\\\") del mensaje de respuesta HTTP del IdP (\\\"WLS-Response\\\"). El campo \\\"Kid\\\" no est\\u00e1 firmado como el resto del mensaje y, por lo tanto, la manipulaci\\u00f3n es trivial. El campo \\\"Kid\\\" solo debe representar un n\\u00famero entero. Sin embargo, es posible suministrar cualquier valor de cadena. Un atacante podr\\u00eda usar esto para su ventaja para forzar al agente de la aplicaci\\u00f3n a cargar la clave p\\u00fablica RSA requerida para verificar la integridad del mensaje desde una ubicaci\\u00f3n no deseada.\"}]",
      "id": "CVE-2015-9287",
      "lastModified": "2024-11-21T02:40:15.423",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-05-13T16:29:00.350",
      "references": "[{\"url\": \"https://doi.org/10.1007/978-3-030-03251-7_1\", \"source\": \"cve@mitre.org\", \"tags\": [\"Permissions Required\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/grymer/CVE\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://doi.org/10.1007/978-3-030-03251-7_1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/grymer/CVE\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2015-9287\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-05-13T16:29:00.350\",\"lastModified\":\"2024-11-21T02:40:15.423\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field (\\\"kid\\\") of the IdP\u0027s HTTP response message (\\\"WLS-Response\\\") can be manipulated by an attacker. The \\\"kid\\\" field is not signed like the rest of the message, and manipulation is therefore trivial. The \\\"kid\\\" field should only ever represent an integer. However, it is possible to provide any string value. An attacker could use this to their advantage to force the application agent to load the RSA public key required for message integrity checking from an unintended location.\"},{\"lang\":\"es\",\"value\":\"Fue encontrada una vulnerabilidad de Salto de Directorio (Directory Traversal) en University of Cambridge mod_ucam_webauth before 2.0.2. Un atacante puede manipular el campo de identificaci\u00f3n de clave (\\\"Kid\\\") del mensaje de respuesta HTTP del IdP (\\\"WLS-Response\\\"). El campo \\\"Kid\\\" no est\u00e1 firmado como el resto del mensaje y, por lo tanto, la manipulaci\u00f3n es trivial. El campo \\\"Kid\\\" solo debe representar un n\u00famero entero. Sin embargo, es posible suministrar cualquier valor de cadena. Un atacante podr\u00eda usar esto para su ventaja para forzar al agente de la aplicaci\u00f3n a cargar la clave p\u00fablica RSA requerida para verificar la integridad del mensaje desde una ubicaci\u00f3n no deseada.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cam:the_university_of_cambridge_web_authentication_system_apache_authentication_agent:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.0.2\",\"matchCriteriaId\":\"A6D52381-2AFB-4AD5-B7D9-F4AA10F60C50\"}]}]}],\"references\":[{\"url\":\"https://doi.org/10.1007/978-3-030-03251-7_1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Permissions Required\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/grymer/CVE\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://doi.org/10.1007/978-3-030-03251-7_1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/grymer/CVE\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.