CVE-2015-5255
Apache Flex BlazeDS 4.7.1 SSRF
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Adobe BlazeDS, as used in ColdFusion 10 before Update 18 and 11 before Update 7 and LiveCycle Data Services 3.0.x before 3.0.0.354175, 3.1.x before 3.1.0.354180, 4.5.x before 4.5.1.354177, 4.6.2.x before 4.6.2.354178, and 4.7.x before 4.7.0.354178, allows remote attackers to send HTTP traffic to intranet servers via a crafted XML document, related to a Server-Side Request Forgery (SSRF) issue.
Adobe BlazeDS, como se utiliza en ColdFusion 10 en versiones anteriores a Update 18 y 11 en versiones anteriores a Update 7 y LiveCycle Data Services 3.0.x en versiones anteriores a 3.0.0.354175, 3.1.x en versiones anteriores a 3.1.0.354180, 4.5.x en versiones anteriores a 4.5.1.354177, 4.6.2.x en versiones anteriores a 4.6.2.354178 y 4.7.x en versiones anteriores a 4.7.0.354178, permite a atacantes remotos enviar tráfico HTTP a los servidores de la intranet a través de un documento XML manipulado, relacionado con un problema Server-Side Request Forgery (SSRF).
Apache Flex BlazeDS versions 4.7.0 and 4.7.1 suffer from a server-side request forgery vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-07-01 CVE Reserved
- 2015-11-18 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/134506/Apache-Flex-BlazeDS-4.7.1-SSRF.html | X_refsource_misc |
|
| http://www.securityfocus.com/archive/1/536958/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/77626 | Vdb Entry | |
| http://www.securitytracker.com/id/1034210 | Vdb Entry | |
| http://www.vmware.com/security/advisories/VMSA-2015-0008.html | X_refsource_confirm | |
| https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05073670 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://helpx.adobe.com/security/products/coldfusion/apsb15-29.html | 2020-09-04 | |
| https://helpx.adobe.com/security/products/livecycleds/apsb15-30.html | 2020-09-04 |
| URL | Date | SRC |
|---|---|---|
| http://marc.info/?l=bugtraq&m=145996963420108&w=2 | 2020-09-04 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Hp Search vendor "Hp" | Xp P9000 Command View Advanced Edition Search vendor "Hp" for product "Xp P9000 Command View Advanced Edition" | - | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Xp7 Command View Advanced Edition Search vendor "Hp" for product "Xp7 Command View Advanced Edition" | - | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Coldfusion Search vendor "Adobe" for product "Coldfusion" | <= 10.0 Search vendor "Adobe" for product "Coldfusion" and version " <= 10.0" | update17 |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Coldfusion Search vendor "Adobe" for product "Coldfusion" | <= 11.0 Search vendor "Adobe" for product "Coldfusion" and version " <= 11.0" | update6 |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Livecycle Data Services Search vendor "Adobe" for product "Livecycle Data Services" | 3.0 Search vendor "Adobe" for product "Livecycle Data Services" and version "3.0" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Livecycle Data Services Search vendor "Adobe" for product "Livecycle Data Services" | 4.5 Search vendor "Adobe" for product "Livecycle Data Services" and version "4.5" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Livecycle Data Services Search vendor "Adobe" for product "Livecycle Data Services" | 4.6 Search vendor "Adobe" for product "Livecycle Data Services" and version "4.6" | - |
Affected
| ||||||
| Adobe Search vendor "Adobe" | Livecycle Data Services Search vendor "Adobe" for product "Livecycle Data Services" | 4.7 Search vendor "Adobe" for product "Livecycle Data Services" and version "4.7" | - |
Affected
| ||||||