CVE-2016-8648

CWE-502Deserialization of Untrusted Data5 documents5 sources
Severity
7.2HIGH
EPSS
0.5%
top 33.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache Software Foundation KarafRedhat Jboss A-mqRedhat Jboss Fuse
Timeline
PublishedAug 1
Latest updateMay 13

Description

It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

CVEListV5apache_software_foundation/karafAs shipped with Jboss Fuse 6.x

🔴Vulnerability Details

2
GHSA
GHSA-rcmq-ww8v-3mxm: It was found that the Karaf container used by Red Hat JBoss Fuse 62022-05-13
CVEList
CVE-2016-8648: It was found that the Karaf container used by Red Hat JBoss Fuse 62018-08-01

📋Vendor Advisories

1
Red Hat
Karaf JMX Console RCE during deserialization2016-11-24

💬Community

1
Bugzilla
CVE-2016-8648 Karaf JMX Console RCE during deserialization2016-11-15
CVE-2016-8648 (HIGH CVSS 7.2) | It was found that the Karaf contain | cvebase.io