CVE-2015-4531 - OpenCVE

EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization for subgroups of privileged groups, which allows remote authenticated sysadmins to gain super-user privileges, and bypass intended restrictions on data access and server actions, via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4622.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Emc	Documentum Content Server

Configuration 1 [-]

OR	cpe:2.3:a:emc:documentum_content_server:6.7:sp1::::::
	cpe:2.3:a:emc:documentum_content_server:6.7:sp2::::::
	cpe:2.3:a:emc:documentum_content_server:7.0:::::::*
	cpe:2.3:a:emc:documentum_content_server:7.1:::::::*
	cpe:2.3:a:emc:documentum_content_server:7.2:::::::*

No data.

References

Link	Providers
http://seclists.org/bugtraq/2015/Aug/86
http://www.securityfocus.com/bid/76413

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2015-08-20T10:00:00

Updated: 2024-08-06T06:18:11.618Z

Reserved: 2015-06-11T00:00:00

Link: CVE-2015-4531

Vulnrichment

No data.

NVD

Status : Modified

Published: 2015-08-20T10:59:12.950

Modified: 2016-11-28T19:29:05.607

Link: CVE-2015-4531

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-08-17T00:00:00", "descriptions": [{"lang": "en", "value": "EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization for subgroups of privileged groups, which allows remote authenticated sysadmins to gain super-user privileges, and bypass intended restrictions on data access and server actions, via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4622."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"name": "20150817 ESA-2015-131: EMC Documentum Content Server Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://seclists.org/bugtraq/2015/Aug/86"}, {"name": "76413", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/76413"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "ID": "CVE-2015-4531", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization for subgroups of privileged groups, which allows remote authenticated sysadmins to gain super-user privileges, and bypass intended restrictions on data access and server actions, via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4622."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20150817 ESA-2015-131: EMC Documentum Content Server Multiple Vulnerabilities", "refsource": "BUGTRAQ", "url": "http://seclists.org/bugtraq/2015/Aug/86"}, {"name": "76413", "refsource": "BID", "url": "http://www.securityfocus.com/bid/76413"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:18:11.618Z"}, "title": "CVE Program Container", "references": [{"name": "20150817 ESA-2015-131: EMC Documentum Content Server Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://seclists.org/bugtraq/2015/Aug/86"}, {"name": "76413", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/76413"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2015-4531", "datePublished": "2015-08-20T10:00:00", "dateReserved": "2015-06-11T00:00:00", "dateUpdated": "2024-08-06T06:18:11.618Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emc:documentum_content_server:6.7:sp1:*:*:*:*:*:*", "matchCriteriaId": "414C33C7-CD76-49A4-9BE5-354860F2F635", "vulnerable": true}, {"criteria": "cpe:2.3:a:emc:documentum_content_server:6.7:sp2:*:*:*:*:*:*", "matchCriteriaId": "B4E00544-98F6-439C-8F4D-822FCAE775CA", "vulnerable": true}, {"criteria": "cpe:2.3:a:emc:documentum_content_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "8335062A-5A8E-4076-B351-7DFA19CEC818", "vulnerable": true}, {"criteria": "cpe:2.3:a:emc:documentum_content_server:7.1:*:*:*:*:*:*:*", "matchCriteriaId": "B283F797-6DAA-40E1-9FAB-16FCAA5241B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:emc:documentum_content_server:7.2:*:*:*:*:*:*:*", "matchCriteriaId": "87453E34-AC8E-4C79-8486-B4888C621B1C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization for subgroups of privileged groups, which allows remote authenticated sysadmins to gain super-user privileges, and bypass intended restrictions on data access and server actions, via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4622."}, {"lang": "es", "value": "Vulnerabilidad en EMC Documentum Content Server en versiones anteriores a 6.7SP1 P32, 6.7SP2 en versiones anteriores a P25, 7.0 en versiones anteriores a P19, 7.1 en versiones anteriores a P16 y 7.2 en versiones anteriores a P02, no comprueba adecuadamente la autorizaci\u00f3n para subgrupos de grupos privilegiados, lo que permite a administradores de sistema remotos autenticados obtener privilegios de superusuario, y eludir las restricciones previstas en el acceso a los datos y a acciones de servidor, a trav\u00e9s de vectores no especificados. NOTA: esta vulnerabilidad existe debido a una soluci\u00f3n incompleta de la vulnerabilidad CVE-2014-4622."}], "id": "CVE-2015-4531", "lastModified": "2016-11-28T19:29:05.607", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-08-20T10:59:12.950", "references": [{"source": "security_alert@emc.com", "url": "http://seclists.org/bugtraq/2015/Aug/86"}, {"source": "security_alert@emc.com", "url": "http://www.securityfocus.com/bid/76413"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}