Apache Software Foundation Apache Brooklyn vulnerabilities

CVE-2016-8744 [HIGH] CWE-502 CVE-2016-8744: Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a

CVE-2016-8737 [HIGH] CWE-352 CVE-2016-8737: In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF) In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker's commands as the user. There is known to be a proof-of-concept exploit using this vulnera

CVE-2017-3165 [MEDIUM] CWE-79 CVE-2017-3165: In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one au In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability.