CVE-2014-6276
medium
CVSS v3
4.3
CVSS v2
4.0
VIR risk
4.3
Description
schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.
Predictions
Exploit likelihood
53%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: security@debian.org — https://sourceforge.net/p/roundup/code/ci/tip/tree/CHANGES.txt
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | 7.0 | affected | |
| debian | 8.0 | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | roundup | <1.5.1 | 1.5.1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| roundup-tracker | roundup | {"endIncluding":"1.5.0"} | |
References
- http://hg.code.sf.net/p/roundup/code/rev/a403c29ffaf9
- http://www.debian.org/security/2016/dsa-3502
- https://sourceforge.net/p/roundup/code/ci/tip/tree/CHANGES.txt
- https://nvd.nist.gov/vuln/detail/CVE-2014-6276
- https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2016-33.yaml
- https://github.com/roundup-tracker/roundup
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.