CVE-2015-5490 - Vulnerability Details - OpenCVE

The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebuild the full cache if the static cache is not empty, which allows remote attackers to bypass intended filters and obtain access to hidden content via unspecified vectors.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00417.

Key SSVC decision points have not yet been added.

Vendors	Products
Views Project Subscribe	Views Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:views_project:views:7.x-3.5:::::drupal::
	cpe:2.3:a:views_project:views:7.x-3.6:::::drupal::
	cpe:2.3:a:views_project:views:7.x-3.7:::::drupal::
	cpe:2.3:a:views_project:views:7.x-3.8:::::drupal::
	cpe:2.3:a:views_project:views:7.x-3.10:::::drupal::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2015-5445	The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebuild the full cache if the static cache is not empty, which allows remote attackers to bypass intended filters and obtain access to hidden content via unspecified vectors.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://cgit.drupalcode.org/views/commit/?id=cef693b
http://www.openwall.com/lists/oss-security/2015/07/04/4
http://www.securityfocus.com/bid/74462
https://www.drupal.org/node/2475669
https://www.drupal.org/node/2480259
https://www.drupal.org/node/2480327

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-08-18T17:00:00

Updated: 2024-08-06T06:50:02.460Z

Reserved: 2015-07-10T00:00:00

Link: CVE-2015-5490

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-08-18T17:59:31.833

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-5490

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-200

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-04-29T00:00:00", "descriptions": [{"lang": "en", "value": "The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebuild the full cache if the static cache is not empty, which allows remote attackers to bypass intended filters and obtain access to hidden content via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.drupal.org/node/2480327"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2480259"}, {"tags": ["x_refsource_MISC"], "url": "https://www.drupal.org/node/2475669"}, {"name": "74462", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/74462"}, {"name": "[oss-security] 20150704 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/07/04/4"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://cgit.drupalcode.org/views/commit/?id=cef693b"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-5490", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebuild the full cache if the static cache is not empty, which allows remote attackers to bypass intended filters and obtain access to hidden content via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.drupal.org/node/2480327", "refsource": "MISC", "url": "https://www.drupal.org/node/2480327"}, {"name": "https://www.drupal.org/node/2480259", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2480259"}, {"name": "https://www.drupal.org/node/2475669", "refsource": "MISC", "url": "https://www.drupal.org/node/2475669"}, {"name": "74462", "refsource": "BID", "url": "http://www.securityfocus.com/bid/74462"}, {"name": "[oss-security] 20150704 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/07/04/4"}, {"name": "http://cgit.drupalcode.org/views/commit/?id=cef693b", "refsource": "CONFIRM", "url": "http://cgit.drupalcode.org/views/commit/?id=cef693b"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:50:02.460Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.drupal.org/node/2480327"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/node/2480259"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.drupal.org/node/2475669"}, {"name": "74462", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/74462"}, {"name": "[oss-security] 20150704 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/07/04/4"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://cgit.drupalcode.org/views/commit/?id=cef693b"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-5490", "datePublished": "2015-08-18T17:00:00", "dateReserved": "2015-07-10T00:00:00", "dateUpdated": "2024-08-06T06:50:02.460Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:views_project:views:7.x-3.5:*:*:*:*:drupal:*:*", "matchCriteriaId": "15890CE7-5208-4DD1-BCAC-2809091145D2", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.6:*:*:*:*:drupal:*:*", "matchCriteriaId": "2D7AEF4E-57D4-4126-B013-0E9EA29F1875", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.7:*:*:*:*:drupal:*:*", "matchCriteriaId": "013171AE-1195-496C-AF2E-450DA98A2D60", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.8:*:*:*:*:drupal:*:*", "matchCriteriaId": "F1D695A3-33F1-4E15-BA91-AF7A3C153D16", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.10:*:*:*:*:drupal:*:*", "matchCriteriaId": "17D783C7-6DC2-4113-BA1E-021162A302DE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebuild the full cache if the static cache is not empty, which allows remote attackers to bypass intended filters and obtain access to hidden content via unspecified vectors."}, {"lang": "es", "value": "Vulnerabilidad en el m\u00e9todo _views_fetch_data en includes/cache.inc en el m\u00f3dulo Views 7.x-3.5 hasta 7.x-3.10 para Drupal, no reconstruye la cach\u00e9 completa si la cach\u00e9 est\u00e1tica no est\u00e1 vac\u00eda, lo que permite a atacantes remotos eludir los filtros previstos y obtener acceso a contenido oculto a trav\u00e9s de vectores no especificados."}], "id": "CVE-2015-5490", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-08-18T17:59:31.833", "references": [{"source": "cve@mitre.org", "url": "http://cgit.drupalcode.org/views/commit/?id=cef693b"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/07/04/4"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/74462"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.drupal.org/node/2475669"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://www.drupal.org/node/2480259"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/node/2480327"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://cgit.drupalcode.org/views/commit/?id=cef693b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/07/04/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/74462"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://www.drupal.org/node/2475669"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://www.drupal.org/node/2480259"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/node/2480327"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}