CVE-2016-6330

CWE-502 — Deserialization of Untrusted Data5 documents5 sources

Severity

9.8CRITICAL

EPSS

13.0%

top 5.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Operations Network

Timeline

PublishedSep 27

Latest updateMay 17

Description

The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDredhat/jboss_operations_network16 versions+15

🔴Vulnerability Details

GHSA

GHSA-hpgf-x5r5-6h89: The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote at↗2022-05-17

▶

CVEList

CVE-2016-6330: The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote at↗2016-09-27

▶

📋Vendor Advisories

Red Hat

JON: incomplete fix for CVE-2016-3737↗2016-08-22

▶

💬Community

Bugzilla

CVE-2016-6330 JON: incomplete fix for CVE-2016-3737↗2016-08-22

▶