CVE-2015-3201

Published: Jun 8, 2015Modified: May 6, 2026

2.1

Vector

AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability: 3.9 / Impact: 2.9

Source: NVD

Description

Thermostat before 2.0.0 uses world-readable permissions for the web.xml configuration file, which allows local users to obtain user credentials by reading the file.

Affected (1)

Products: Redhat: Thermostat

Redhat

1 product

Thermostat

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Thermostat	Up to 1.4

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (12)

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2372

Source: secalert@redhat.com

Exploit

http://icedtea.classpath.org/hg/thermostat/rev/c2f18f81f57a

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159788.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159958.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2015-1052.html

Source: secalert@redhat.com

Vendor Advisory

http://www.securityfocus.com/bid/75066

Source: secalert@redhat.com

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2372