CVE-2015-7298 - Vulnerability Details - OpenCVE

ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Owncloud	Owncloud Desktop Client
Qt	Qt

Configuration 1 [-]

OR	cpe:2.3:a:owncloud:owncloud_desktop_client::::::::
	cpe:2.3:a:qt:qt:5.3.0:::::::*
	cpe:2.3:a:qt:qt:5.4.1:::::::*

No data.

References

Link	Providers
https://owncloud.org/security/advisory/?id=oc-sa-2015-016

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-10-26T14:00:00

Updated: 2024-08-06T07:43:46.168Z

Reserved: 2015-09-21T00:00:00

Link: CVE-2015-7298

Vulnrichment

No data.

NVD

Status : Modified

Published: 2015-10-26T14:59:10.687

Modified: 2024-11-21T02:36:32.430

Link: CVE-2015-7298

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-09-21T00:00:00", "descriptions": [{"lang": "en", "value": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-10-26T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-016"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-7298", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-016", "refsource": "CONFIRM", "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-016"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T07:43:46.168Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-016"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-7298", "datePublished": "2015-10-26T14:00:00", "dateReserved": "2015-09-21T00:00:00", "dateUpdated": "2024-08-06T07:43:46.168Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:owncloud:owncloud_desktop_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A647DF5-F980-495F-A978-FF2C7CD4932D", "versionEndIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qt:qt:5.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "E2980C52-9843-4A39-B164-76E9583F2D7E", "vulnerable": true}, {"criteria": "cpe:2.3:a:qt:qt:5.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "FBC2E1E7-F841-47A1-8D1E-9A30EC93BDF5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression."}, {"lang": "es", "value": "ownCloud Desktop Client en versiones anteriores a 2.0.1, cuando es compliado con un lanzamiento de Qt en versiones posteriores a 5.3.x, no llama a QNetworkReply::ignoreSslErrors con la lista de errores para ser ignorados, lo que hace m\u00e1s f\u00e1cil para atacantes remotos llevar a cabo ataques man-in-the-middle (MITM) aprovechando un servidor utilizando un certificado autofirmado. NOTA: esta vulnerabilidad existe a causa de una regresi\u00f3n parcial de CVE-2015-4456."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/297.html\" target=\"_blank\">CWE-297: Improper Validation of Certificate with Host Mismatch</a>", "id": "CVE-2015-7298", "lastModified": "2024-11-21T02:36:32.430", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-10-26T14:59:10.687", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-016"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-016"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}