CVE-2015-2186 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2015-2186?

CVE-2015-2186 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-2186?

Check the references section above for vendor advisories and patch information. Affected products include: Edx Configuration, Edx Edx-Platform.

Vulnerability Description

The Ansible edxapp role in the Configuration Repo in edX allows remote websites to spoof edX accounts by leveraging use of the string literal "False" instead of a boolean False for the CORS_ORIGIN_ALLOW_ALL setting. Note: this vulnerability was fixed on 2015-03-06, but the version number was not changed.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Edx	Configuration	<= 1.0
Edx	Edx-Platform	<= 1.6.0

Related Weaknesses (CWE)

CWE-20

References

https://github.com/edx/configuration/pull/1885/filesPatchThird Party Advisory
https://open.edx.org/CVE-2015-2186Vendor Advisory
https://github.com/edx/configuration/pull/1885/filesPatchThird Party Advisory
https://open.edx.org/CVE-2015-2186Vendor Advisory

FAQ

What is CVE-2015-2186?

CVE-2015-2186 is a vulnerability with a CVSS score of 7.5 (HIGH). The Ansible edxapp role in the Configuration Repo in edX allows remote websites to spoof edX accounts by leveraging use of the string literal "False" instead of a boolean False for the CORS_ORIGIN_ALL...

How severe is CVE-2015-2186?

CVE-2015-2186 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-2186?

Check the references section above for vendor advisories and patch information. Affected products include: Edx Configuration, Edx Edx-Platform.