CVE-2016-8648

EPSS 0.54%
Published 01.08.2018 14:29:00
Last modified 21.11.2024 02:59:45
Source secalert@redhat.com
Teams watchlist Login
Open Login

It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Jboss A-mq Version6.0.0

Redhat ≫ Jboss Fuse Version6.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.54%	0.664

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P
secalert@redhat.com	7.2	1.2	5.9	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

http://www.securityfocus.com/bid/94513

Third Party Advisory

VDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648

Third Party Advisory

Issue Tracking

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2016-8648

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-8648

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-8648

EUVD