CVE: CVE-2015-2902 - CVE-Search

CVE Details for CVE: CVE-2015-2902

Summary

HP ArcSight SmartConnectors before 7.1.6 do not verify X.509 certificates from Logger devices, which allows man-in-the-middle attackers to spoof devices and obtain sensitive information via a crafted certificate.

Timestamps
Last major update	07-12-2016 - 18:10
Published	04-11-2015 - 03:59
Last modified	07-12-2016 - 18:10

References

Vulnerable Configurations

cpe:2.3:a:hp:arcsight_smartconnectors:*:*:*:*:*:*:*:*
cpe:2.3:a:hp:arcsight_smartconnectors:*:*:*:*:*:*:*:*

CAPEC

Click the CAPEC title to display a description

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

CWE

CWE-310

CVSS

Base

6.8

Impact

6.4

Exploitability

8.6

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

CVSS3

None

VIA4 references

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

cert-vn	VU#350508
confirm	https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04850932
sectrack	1034078