CVE-2016-6496

EPSS 2.91%
Veröffentlicht 09.12.2016 22:59:02
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle security-alert@hpe.com
CVE-Watchlists
Login
Unerledigt
Login

The LDAP directory connector in Atlassian Crowd before 2.8.8 and 2.9.x before 2.9.5 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka LDAP entry poisoning.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Atlassian ≫ Crowd Version <= 2.8.4

Atlassian ≫ Crowd Version2.9.0

Atlassian ≫ Crowd Version2.9.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.91%	0.858

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.securityfocus.com/archive/1/539655/100/0/threaded

http://www.securityfocus.com/bid/93826

Third Party Advisory

VDB Entry

https://confluence.atlassian.com/crowd/crowd-security-advisory-2016-10-19-856697283.html

Vendor Advisory

https://jira.atlassian.com/browse/CWD-4790

Issue Tracking

https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf

Not Applicable

https://nvd.nist.gov/vuln/detail/CVE-2016-6496

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-6496

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-6496

EUVD