CVE-2015-1498

2015-02-1615:59:11

CWE-264

[email protected]

web.nvd.nist.gov

cve

2015

1498

remote attackers

persistent systems

radia client automation

user accounts

unauthorized access

security vulnerability

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

6.9 Medium

AI Score

Confidence

Low

0.698 Medium

EPSS

Percentile

98.0%

JSON

Persistent Systems Radia Client Automation does not properly restrict access to certain request, which allows remote attackers to (1) enumerate user accounts via a getUsers request, (2) assign a role to a user account via an addAssigneesToRole request, (3) remove a role from a user account via a removeAssigneesFromRole request, or (4) have other unspecified impact.

Affected configurations

NVD

Node

persistent_systemsradia_client_automationMatch-

CPENameOperatorVersion
persistent_systems:radia_client_automationpersistent systems radia client automationeq-

CPE	Name	Operator	Version
persistent_systems:radia_client_automation	persistent systems radia client automation	eq	-

References

www.zerodayinitiative.com/advisories/ZDI-15-039/

radiasupport.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-features