CVE-2015-8400 - Vulnerability Details - OpenCVE

The HTTPS fallback implementation in Shell In A Box (aka shellinabox) before 2.19 makes it easier for remote attackers to conduct DNS rebinding attacks via the "/plain" URL.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00556.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Shellinabox Project	Shellinabox

Configuration 1 [-]

OR	cpe:2.3:o:fedoraproject:fedora:22:::::::*
	cpe:2.3:o:fedoraproject:fedora:23:::::::*

Configuration 2 [-]

cpe:2.3:a:shellinabox_project:shellinabox:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2015-8282	The HTTPS fallback implementation in Shell In A Box (aka shellinabox) before 2.19 makes it easier for remote attackers to conduct DNS rebinding attacks via the "/plain" URL.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175117.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175224.html
http://www.openwall.com/lists/oss-security/2015/12/02/6
http://www.openwall.com/lists/oss-security/2015/12/02/7
https://github.com/shellinabox/shellinabox/issues/355
https://github.com/shellinabox/shellinabox/releases/tag/v2.19

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2016-01-12T19:00:00

Updated: 2024-08-06T08:13:32.892Z

Reserved: 2015-12-02T00:00:00

Link: CVE-2015-8400

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2016-01-12T19:59:10.973

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-8400

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-12-02T00:00:00", "descriptions": [{"lang": "en", "value": "The HTTPS fallback implementation in Shell In A Box (aka shellinabox) before 2.19 makes it easier for remote attackers to conduct DNS rebinding attacks via the \"/plain\" URL."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-01-12T18:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shellinabox/shellinabox/releases/tag/v2.19"}, {"name": "FEDORA-2015-463143720f", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175224.html"}, {"name": "[oss-security] 20151202 Re: shellinabox - DNS rebinding attack due to HTTP fallback", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/12/02/7"}, {"name": "FEDORA-2015-1c773e8702", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175117.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shellinabox/shellinabox/issues/355"}, {"name": "[oss-security] 20151202 shellinabox - DNS rebinding attack due to HTTP fallback", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/12/02/6"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-8400", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The HTTPS fallback implementation in Shell In A Box (aka shellinabox) before 2.19 makes it easier for remote attackers to conduct DNS rebinding attacks via the \"/plain\" URL."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/shellinabox/shellinabox/releases/tag/v2.19", "refsource": "CONFIRM", "url": "https://github.com/shellinabox/shellinabox/releases/tag/v2.19"}, {"name": "FEDORA-2015-463143720f", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175224.html"}, {"name": "[oss-security] 20151202 Re: shellinabox - DNS rebinding attack due to HTTP fallback", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/12/02/7"}, {"name": "FEDORA-2015-1c773e8702", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175117.html"}, {"name": "https://github.com/shellinabox/shellinabox/issues/355", "refsource": "CONFIRM", "url": "https://github.com/shellinabox/shellinabox/issues/355"}, {"name": "[oss-security] 20151202 shellinabox - DNS rebinding attack due to HTTP fallback", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/12/02/6"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T08:13:32.892Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/shellinabox/shellinabox/releases/tag/v2.19"}, {"name": "FEDORA-2015-463143720f", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175224.html"}, {"name": "[oss-security] 20151202 Re: shellinabox - DNS rebinding attack due to HTTP fallback", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/12/02/7"}, {"name": "FEDORA-2015-1c773e8702", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175117.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/shellinabox/shellinabox/issues/355"}, {"name": "[oss-security] 20151202 shellinabox - DNS rebinding attack due to HTTP fallback", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/12/02/6"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-8400", "datePublished": "2016-01-12T19:00:00", "dateReserved": "2015-12-02T00:00:00", "dateUpdated": "2024-08-06T08:13:32.892Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*", "matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*", "matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shellinabox_project:shellinabox:*:*:*:*:*:*:*:*", "matchCriteriaId": "0123E372-6429-4345-ACE0-3A8D2778258F", "versionEndIncluding": "2.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The HTTPS fallback implementation in Shell In A Box (aka shellinabox) before 2.19 makes it easier for remote attackers to conduct DNS rebinding attacks via the \"/plain\" URL."}, {"lang": "es", "value": "La implementaci\u00f3n de retorno de HTTPS en Shell In A Box (tambi\u00e9n conocido como shellinabox) en versiones anteriores a 2.19 hace que sea mas f\u00e1cil para atacantes remotos llevar a cabo ataques de revinculaci\u00f3n DNS a trav\u00e9s de la URL \"/plain\"."}], "id": "CVE-2015-8400", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-01-12T19:59:10.973", "references": [{"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175117.html"}, {"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175224.html"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/12/02/6"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/12/02/7"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/shellinabox/shellinabox/issues/355"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/shellinabox/shellinabox/releases/tag/v2.19"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175117.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175224.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/12/02/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/12/02/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/shellinabox/shellinabox/issues/355"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/shellinabox/shellinabox/releases/tag/v2.19"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-254"}], "source": "nvd@nist.gov", "type": "Primary"}]}