1.3 CVE-2015-5464

Local Execution Code


The Gemalto SafeNet Luna HSM allows remote authenticated users to bypass intended key-export restrictions by leveraging (1) crypto-user or (2) crypto-officer access to an HSM partition.


CWE-284 : Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. The terms "access control" and "authorization" are often used interchangeably, although many people have distinct definitions. The CWE usage of "access control" is intended as a general term for the various mechanisms that restrict which users can access which resources, and "authorization" is more narrowly defined. It is unlikely that there will be community consensus on the use of these terms. Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV. IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV. Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV. Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing.




cpe start end
Configuration 1


id description date
No known exploits


id description severity
19 Embedding Scripts within Scripts
441 Malicious Logic Insertion
478 Modification of Windows Service Configuration
479 Malicious Root Certificate
502 Intent Spoof
503 WebView Exposure
536 Data Injected During Configuration
550 Install New Service
552 Install Rootkit
556 Replace File Extension Handlers
558 Replace Trusted Executable
562 Modify Shared File
563 Add Malicious File to Shared Webroot
564 Run Software at Logon
578 Disable Security Software
546 Incomplete Data Deletion in a Multi-Tenant Environment
551 Modify Existing Service

Sherlock® flash

Take a picture of your computer network in a few clicks !

The Sherlock® flash audit solution allows you to perform an audit to strengthen the security of your IT assets. Vulnerability analysis of your physical and virtual equipment. Patch planning by priority level and time available. Detailed and intuitive reporting.

Discover this offer

Sherlock® flash: 1st instant cybersecurity audit solution