Thermostat "web.xml" Information Disclosure Vulnerability


Description   A vulnerability was reported in Thermostat.
A local attacker can exploit it by reading the "web.xml" file in order to access/modify user's credentials.
This vulnerability stems from improper permissions (world writable) on the "web.xml" main configuration file ($THERMOSTAT_WEBAPP_LOCATION/WEB-INF/web.xml).
     
Vulnerable Products   Vulnerable OS:
Fedora (Red Hat) - 21, 22Vulnerable Software:
     
Solution   A patch is available on Thermostat's repository.Updated, 09/06/2015:Fixed thermostat packages for Fedora 21 and 22 are available.
     
CVE   CVE-2015-3201
     
References   - Thermostat : CVE-2015-3201: world-readable configuration file containing credentials
http://icedtea.classpath.org/pipermail/thermostat/2015-May/013712.html
FEDORA-2015-8867 : Fedora 22 Update: thermostat-1.2.2-7.fc22
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159788.html
FEDORA-2015-8919 : Fedora 21 Update: thermostat-1.0.6-2.fc21
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159958.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Java : Suspicious access to META-INF and WEB-INF folders
3.5.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2015-05-20 

 Target Type 
Server 

 Possible exploit 
Local