CVE-2016-8656 — Improper Access Control in Jbossas

CWE-284 — Improper Access Control CWE-264 CWE-282 — Improper Ownership Management10 documents5 sources

Severity

7.8HIGHNVD

CNA7.0

EPSS

0.1%

top 78.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jboss Jbossas RED HAT INC RED HAT Jboss Enterprise Application Platform Redhat Enterprise Linux +1 more

Timeline

PublishedMay 22

Latest updateMay 13

Description

Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to an unsafe file handling in the jboss init script which could result in local privilege escalation.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5jboss/jbossasjbossas 5.2.0-23, jbossas 6.4.13, jbossas 7.0.5+2

▶NVDredhat/jboss_enterprise_application_platform6 versions+5

▶CVEListV5red_hat_inc/red_hat_jboss_enterprise_application_platform7.0.7.GA

Also affects: Enterprise Linux 6.0, 7.0

🔴Vulnerability Details

GHSA

GHSA-v2jx-53jj-4vjf: Jboss jbossas before versions 5↗2022-05-13

▶

GHSA

GHSA-g689-52m8-86fh: It was discovered that the jboss init script as used in Red Hat JBoss Enterprise Application Platform 7↗2022-05-13

▶

CVEList

CVE-2016-8656: Jboss jbossas before versions 5↗2018-05-22

▶

CVEList

CVE-2017-12189: It was discovered that the jboss init script as used in Red Hat JBoss Enterprise Application Platform 7↗2018-01-10

▶

📋Vendor Advisories

Red Hat

jboss: unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for CVE-2016-8656)↗2018-01-03

▶

Red Hat

jboss: jbossas: unsafe chown of server.log in jboss init script allows privilege escalation↗2016-09-15

▶

💬Community

Bugzilla

CVE-2017-12189 jboss: unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for CVE-2016-8656)↗2017-10-09

▶

Bugzilla

CVE-2016-8656 jboss: jbossas: unsafe chown of server.log in jboss init script allows privilege escalation↗2016-11-30

▶