High severity7.5NVD Advisory· Published Feb 1, 2018· Updated Jun 17, 2026
CVE-2015-2204
CVE-2015-2204
Description
Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
8- evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/nvdIssue TrackingPatchRelease Notes
- bugs.launchpad.net/evergreen/+bug/1424755nvdIssue TrackingPatchVendor Advisory
- www.openwall.com/lists/oss-security/2015/03/04/3nvdIssue TrackingMailing ListThird Party Advisory
- www.securityfocus.com/bid/72889nvdThird Party AdvisoryVDB Entry
- evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9nvdIssue TrackingRelease Notes
- evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7nvdIssue TrackingRelease Notes
- evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4nvdIssue TrackingRelease Notes
- git.evergreen-ils.orgnvd
News mentions
0No linked articles in our index yet.