Miggo Logo

CVE-2015-2918: OrientDB Studio web management interface is vulnerable to clickjacking attacks

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.62192%
Published
10/18/2018
Updated
9/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.orientechnologies:orientdb-studiomaven< 2.0.152.0.15
com.orientechnologies:orientdb-studiomaven= 2.1.02.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing X-Frame-Options headers. The HTTP response handler (OHttpResponse.sendResponseHeaders) would be the logical location for this security control. The mitigation requires adding this header, confirming the vulnerable versions lacked it in this core response handling function. While no direct patch code is shown, the CERT workaround and standard Java web response handling patterns strongly indicate this as the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Stu*io *ompon*nt in Ori*nt** S*rv*r *ommunity **ition ***or* *.*.** *n* *.*.x ***or* *.*.* *o*s not prop*rly r*stri*t us* o* *R*M* *l*m*nts, w*i** m*k*s it **si*r *or r*mot* *tt**k*rs to *on*u*t *li*kj**kin* *tt**ks vi* * *r**t** w** sit*.

Reasoning

T** vuln*r**ility st*ms *rom missin* X-*r*m*-Options *****rs. T** *TTP r*spons* **n*l*r (O*ttpR*spons*.s*n*R*spons******rs) woul* ** t** lo*i**l lo**tion *or t*is s**urity *ontrol. T** miti**tion r*quir*s ***in* t*is *****r, *on*irmin* t** vuln*r**l*