Base Score

HIGH7.4

CVE-2015-8400

The HTTPS fallback implementation in Shell In A Box (aka shellinabox) before 2.19 makes it easier for remote attackers to conduct DNS rebinding attacks via the "/plain" URL.

VectorNETWORK

Published Bycve@mitre.org

Published DateJan 12, 2016, 19:59

Weakness Type (CWE):CWE-254

CVSS Metrics

Base Score

7.4

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

NONE

Integrity (I)

HIGH

Availability (A)

NONE

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175117.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175224.html
http://www.openwall.com/lists/oss-security/2015/12/02/6
http://www.openwall.com/lists/oss-security/2015/12/02/7
https://github.com/shellinabox/shellinabox/issues/355
https://github.com/shellinabox/shellinabox/releases/tag/v2.19

Base Score

HIGH7.4

Weakness Type (CWE):CWE-254

CVSS Metrics

Base Score

7.4

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

NONE

Integrity (I)

HIGH

Availability (A)

NONE