CVE-2015-5505 - OpenCVE

The HTTP Strict Transport Security (HSTS) module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the "include subdomains" directive, which causes the HSTS policy to not be applied to subdomains and allows man-in-the-middle attackers to have unspecified impact via unknown vectors.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Codfront Labs	Http Strict Transport Security

Configuration 1 [-]

OR	cpe:2.3:a:codfront_labs:http_strict_transport_security:6.x-1.0:::::drupal::
	cpe:2.3:a:codfront_labs:http_strict_transport_security:6.x-1.0:rc1::::drupal::*
	cpe:2.3:a:codfront_labs:http_strict_transport_security:6.x-1.x:dev::::drupal::*
	cpe:2.3:a:codfront_labs:http_strict_transport_security:7.x-1.0:::::drupal::
	cpe:2.3:a:codfront_labs:http_strict_transport_security:7.x-1.0:rc1::::drupal::*
	cpe:2.3:a:codfront_labs:http_strict_transport_security:7.x-1.1:::::drupal::

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2015/07/04/4
http://www.securityfocus.com/bid/75276
http://www.securitytracker.com/id/1037633
https://www.drupal.org/node/2507539
https://www.drupal.org/node/2507543
https://www.drupal.org/node/2507563

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-08-18T17:00:00

Updated: 2024-08-06T06:50:02.617Z

Reserved: 2015-07-10T00:00:00

Link: CVE-2015-5505

Vulnrichment

No data.

NVD

Status : Modified

Published: 2015-08-18T18:00:09.927

Modified: 2017-07-26T01:29:00.290

Link: CVE-2015-5505

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-06-17T00:00:00", "descriptions": [{"lang": "en", "value": "The HTTP Strict Transport Security (HSTS) module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the \"include subdomains\" directive, which causes the HSTS policy to not be applied to subdomains and allows man-in-the-middle attackers to have unspecified impact via unknown vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-25T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.drupal.org/node/2507563"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2507539"}, {"name": "75276", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/75276"}, {"name": "[oss-security] 20150704 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/07/04/4"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2507543"}, {"name": "1037633", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1037633"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-5505", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The HTTP Strict Transport Security (HSTS) module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the \"include subdomains\" directive, which causes the HSTS policy to not be applied to subdomains and allows man-in-the-middle attackers to have unspecified impact via unknown vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.drupal.org/node/2507563", "refsource": "MISC", "url": "https://www.drupal.org/node/2507563"}, {"name": "https://www.drupal.org/node/2507539", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2507539"}, {"name": "75276", "refsource": "BID", "url": "http://www.securityfocus.com/bid/75276"}, {"name": "[oss-security] 20150704 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/07/04/4"}, {"name": "https://www.drupal.org/node/2507543", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2507543"}, {"name": "1037633", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037633"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:50:02.617Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.drupal.org/node/2507563"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/node/2507539"}, {"name": "75276", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/75276"}, {"name": "[oss-security] 20150704 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/07/04/4"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/node/2507543"}, {"name": "1037633", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1037633"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-5505", "datePublished": "2015-08-18T17:00:00", "dateReserved": "2015-07-10T00:00:00", "dateUpdated": "2024-08-06T06:50:02.617Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codfront_labs:http_strict_transport_security:6.x-1.0:*:*:*:*:drupal:*:*", "matchCriteriaId": "763BE87D-0D10-45C2-B38D-0D9A6699A445", "vulnerable": true}, {"criteria": "cpe:2.3:a:codfront_labs:http_strict_transport_security:6.x-1.0:rc1:*:*:*:drupal:*:*", "matchCriteriaId": "E72C6DB9-DBB9-41E5-B30D-0BBE5AC02B48", "vulnerable": true}, {"criteria": "cpe:2.3:a:codfront_labs:http_strict_transport_security:6.x-1.x:dev:*:*:*:drupal:*:*", "matchCriteriaId": "DF5976DF-6982-4D4C-AA88-4CE61199DEB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:codfront_labs:http_strict_transport_security:7.x-1.0:*:*:*:*:drupal:*:*", "matchCriteriaId": "9D25C420-6A87-4824-BBB1-6AE9017476EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:codfront_labs:http_strict_transport_security:7.x-1.0:rc1:*:*:*:drupal:*:*", "matchCriteriaId": "751AC80A-E9D3-44FE-8DFC-A06F2313FA94", "vulnerable": true}, {"criteria": "cpe:2.3:a:codfront_labs:http_strict_transport_security:7.x-1.1:*:*:*:*:drupal:*:*", "matchCriteriaId": "921CB3A5-4C85-4AAD-ACFB-D4CD271F12EE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The HTTP Strict Transport Security (HSTS) module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the \"include subdomains\" directive, which causes the HSTS policy to not be applied to subdomains and allows man-in-the-middle attackers to have unspecified impact via unknown vectors."}, {"lang": "es", "value": "Vulnerabilidad en el m\u00f3dulo HTTP Strict Transport Security (HSTS) 6.x-1.x en versiones anteriores a 6.x-1.1 y 7.x-1.x en versiones anteriores a 7.x-1.2 para Drupal, no implementa adecuadamente la directiva 'include subdomains', lo que causa que la pol\u00edtica HSTS no se aplique a subdominios y permite a atacantes man-in-the-middle tener un impacto no especificado a trav\u00e9s de vectores desconocidos."}], "id": "CVE-2015-5505", "lastModified": "2017-07-26T01:29:00.290", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-08-18T18:00:09.927", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/07/04/4"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/75276"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1037633"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://www.drupal.org/node/2507539"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://www.drupal.org/node/2507543"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/node/2507563"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-17"}], "source": "nvd@nist.gov", "type": "Primary"}]}