Lucene search

[email protected]CVE-2015-5970

HistoryFeb 18, 2016 - 10:59 p.m.

CVE-2015-5970

2016-02-1822:59:00

CWE-94

[email protected]

web.nvd.nist.gov

cve-2015-5970

changepassword

rpc method

novell

zenworks configuration management

xpath injection

nvd

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.4 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.042 Low

EPSS

Percentile

92.2%

JSON

The ChangePassword RPC method in Novell ZENworks Configuration Management (ZCM) 11.3 and 11.4 allows remote attackers to conduct XPath injection attacks, and read arbitrary text files, via a malformed query involving a system entity reference.

Affected configurations

NVD

Node

novellzenworks_configuration_managementMatch11.3.0

novellzenworks_configuration_managementMatch11.3.1

novellzenworks_configuration_managementMatch11.3.2

novellzenworks_configuration_managementMatch11.4.0

novellzenworks_configuration_managementMatch11.4.1

CPENameOperatorVersion
novell:zenworks_configuration_managementnovell zenworks configuration managementeq11.3.0
novell:zenworks_configuration_managementnovell zenworks configuration managementeq11.3.1
novell:zenworks_configuration_managementnovell zenworks configuration managementeq11.3.2
novell:zenworks_configuration_managementnovell zenworks configuration managementeq11.4.0
novell:zenworks_configuration_managementnovell zenworks configuration managementeq11.4.1

CPE	Name	Operator	Version
novell:zenworks_configuration_management	novell zenworks configuration management	eq	11.3.0
novell:zenworks_configuration_management	novell zenworks configuration management	eq	11.3.1
novell:zenworks_configuration_management	novell zenworks configuration management	eq	11.3.2
novell:zenworks_configuration_management	novell zenworks configuration management	eq	11.4.0
novell:zenworks_configuration_management	novell zenworks configuration management	eq	11.4.1

References

www.zerodayinitiative.com/advisories/ZDI-16-167

www.novell.com/support/kb/doc.php?id=7017240

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.4 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.042 Low

EPSS

Percentile

92.2%

JSON

Related for CVE-2015-5970

nessus1 nvd1 cvelist1 zdi1 prion1