Details of VAR-201708-0347

ID

VAR-201708-0347

CVE

CVE-2015-3655

TITLE

Aruba Networks ClearPass Policy Manager Cross-Site Request Forgery Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2017-26327 // CNNVD: CNNVD-201708-1340

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote attackers to hijack the authentication of administrators by leveraging improper enforcement of the anti-CSRF token. ArubaNetworksClearPassPolicyManager (CPPM) is a BYOD (bring your own device) network access control policy implementation platform from Aruba Networks. A cross-site request forgery vulnerability exists in versions prior to ArubaNetworksCPPM 6.4.7 and in versions 6.5.x prior to 6.5.2. A remote attacker could exploit this vulnerability to perform unauthorized operations. Other attacks are also possible

Trust: 2.52

sources: NVD: CVE-2015-3655 // JVNDB: JVNDB-2015-007790 // CNVD: CNVD-2017-26327 // BID: 100594 // VULMON: CVE-2015-3655

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-26327

AFFECTED PRODUCTS

vendor:	arubanetworks	model:	clearpass	scope:	lt	version:	6.4.7	Trust: 1.0
vendor:	arubanetworks	model:	clearpass	scope:	gte	version:	6.4.0	Trust: 1.0
vendor:	arubanetworks	model:	clearpass	scope:	gte	version:	6.5.0	Trust: 1.0
vendor:	arubanetworks	model:	clearpass	scope:	lt	version:	6.5.2	Trust: 1.0
vendor:	aruba	model:	clearpass policy manager	scope:	eq	version:	6.5.2	Trust: 0.8
vendor:	aruba	model:	clearpass policy manager	scope:	lt	version:	6.5.x	Trust: 0.8
vendor:	aruba	model:	networks clearpass policy manager	scope:	lt	version:	6.4.7	Trust: 0.6
vendor:	aruba	model:	networks clearpass policy manager	scope:	eq	version:	6.5.*<6.5.2	Trust: 0.6
vendor:	arubanetworks	model:	clearpass	scope:	eq	version:	6.4.6	Trust: 0.6
vendor:	arubanetworks	model:	clearpass	scope:	eq	version:	6.5.1	Trust: 0.6
vendor:	arubanetworks	model:	clearpass	scope:	eq	version:	6.5	Trust: 0.6
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.5.1	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.5	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.4.6	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.4.5	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.4.2	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.4.1	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.4	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.3.6	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.3.5	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.2.6	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.2	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.1	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.4.4	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.4.3	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	eq	version:	6.0	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	ne	version:	6.5.2	Trust: 0.3
vendor:	arubanetworks	model:	clearpass policy manager	scope:	ne	version:	6.4.7	Trust: 0.3

sources: CNVD: CNVD-2017-26327 // BID: 100594 // JVNDB: JVNDB-2015-007790 // CNNVD: CNNVD-201708-1340 // NVD: CVE-2015-3655

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-3655
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-3655
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-26327
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201708-1340
value:	HIGH
Trust: 0.6
VULMON:	CVE-2015-3655
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-3655
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-26327
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2015-3655
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2015-3655
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2017-26327 // VULMON: CVE-2015-3655 // JVNDB: JVNDB-2015-007790 // CNNVD: CNNVD-201708-1340 // NVD: CVE-2015-3655

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2015-007790 // NVD: CVE-2015-3655

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-1340

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201708-1340

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-007790

PATCH

title:	ARUBA-PSA-2015-009	url:	http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-009.txt	Trust: 0.8
title:	Patch for ArubaNetworksClearPassPolicyManager Cross-site Request Forgery Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/102024	Trust: 0.6
title:	Aruba Networks ClearPass Policy Manager Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74477	Trust: 0.6

sources: CNVD: CNVD-2017-26327 // JVNDB: JVNDB-2015-007790 // CNNVD: CNNVD-201708-1340

EXTERNAL IDS

db:	NVD	id:	CVE-2015-3655	Trust: 3.4
db:	BID	id:	100594	Trust: 2.6
db:	JVNDB	id:	JVNDB-2015-007790	Trust: 0.8
db:	CNVD	id:	CNVD-2017-26327	Trust: 0.6
db:	CNNVD	id:	CNNVD-201708-1340	Trust: 0.6
db:	VULMON	id:	CVE-2015-3655	Trust: 0.1

sources: CNVD: CNVD-2017-26327 // VULMON: CVE-2015-3655 // BID: 100594 // JVNDB: JVNDB-2015-007790 // CNNVD: CNNVD-201708-1340 // NVD: CVE-2015-3655

REFERENCES

url:	http://www.arubanetworks.com/assets/alert/aruba-psa-2015-009.txt	Trust: 2.6
url:	http://www.securityfocus.com/bid/100594	Trust: 2.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3655	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2015-3655	Trust: 0.8
url:	http://www.arubanetworks.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/352.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2017-26327 // VULMON: CVE-2015-3655 // BID: 100594 // JVNDB: JVNDB-2015-007790 // CNNVD: CNNVD-201708-1340 // NVD: CVE-2015-3655

CREDITS

Unknown

Trust: 0.3

sources: BID: 100594

SOURCES

db:	CNVD	id:	CNVD-2017-26327
db:	VULMON	id:	CVE-2015-3655
db:	BID	id:	100594
db:	JVNDB	id:	JVNDB-2015-007790
db:	CNNVD	id:	CNNVD-201708-1340
db:	NVD	id:	CVE-2015-3655

LAST UPDATE DATE

2025-04-20T23:04:38.142000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-26327	date:	2017-09-12T00:00:00
db:	VULMON	id:	CVE-2015-3655	date:	2020-10-01T00:00:00
db:	BID	id:	100594	date:	2017-08-29T00:00:00
db:	JVNDB	id:	JVNDB-2015-007790	date:	2017-09-20T00:00:00
db:	CNNVD	id:	CNNVD-201708-1340	date:	2020-10-09T00:00:00
db:	NVD	id:	CVE-2015-3655	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-26327	date:	2017-09-12T00:00:00
db:	VULMON	id:	CVE-2015-3655	date:	2017-08-29T00:00:00
db:	BID	id:	100594	date:	2017-08-29T00:00:00
db:	JVNDB	id:	JVNDB-2015-007790	date:	2017-09-20T00:00:00
db:	CNNVD	id:	CNNVD-201708-1340	date:	2017-08-29T00:00:00
db:	NVD	id:	CVE-2015-3655	date:	2017-08-29T15:29:00.267