CVE-2015-0260

RhodeCode before 2.2.7 and Kallithea 0.1 allows remote authenticated users to obtain API keys and other sensitive information via the get_repo API method.

Published Bysecalert@redhat.com

Published DateFeb 16, 2015, 15:59

Affected Versions(2)

RhodeCode(PyPI)

Introduced0

Fixed2.2.7

LimitN/A

Kallithea(PyPI)

Introduced0

Fixed0.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
RhodeCode(PyPI)	0	2.2.7	N/A
Kallithea(PyPI)	0	0.2	N/A

Weakness Type (CWE):CWE-200

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:S/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE

References

http://seclists.org/oss-sec/2015/q1/505
http://www.securityfocus.com/bid/72573
https://exchange.xforce.ibmcloud.com/vulnerabilities/100888
https://kallithea-scm.org/security/cve-2015-0260.html
https://rhodecode.com/blog/rhodecode-enterprise-security-release/

Weakness Type (CWE):CWE-200

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:S/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE