CVE-2016-5062

The web server in Aternity before 9.0.1 does not require authentication for getMBeansFromURL loading of Java MBeans, which allows remote attackers to execute arbitrary Java code by registering MBeans.

CVSS v3 9.8 CRITICAL
CVSS v2.0 9.3 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.3^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.kb.cert.org/vuls/id/706359	Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/93208

Configurations

Configuration 1 (hide)

cpe:2.3:a:aternity:aternity:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2016-09-29 10:59

Updated : 2023-12-10 11:46

NVD link : CVE-2016-5062

Mitre link : CVE-2016-5062

CVE.ORG link : CVE-2016-5062

JSON object : View

Products Affected

aternity

aternity

CWE

CWE-669

Incorrect Resource Transfer Between Spheres

{"id": "CVE-2016-5062", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2016-09-29T10:59:01.737", "references": [{"url": "http://www.kb.cert.org/vuls/id/706359", "tags": ["Third Party Advisory", "US Government Resource"], "source": "cret@cert.org"}, {"url": "http://www.securityfocus.com/bid/93208", "source": "cret@cert.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-669"}]}], "descriptions": [{"lang": "en", "value": "The web server in Aternity before 9.0.1 does not require authentication for getMBeansFromURL loading of Java MBeans, which allows remote attackers to execute arbitrary Java code by registering MBeans."}, {"lang": "es", "value": "Varias vulnerabilidades de XSS en el servidor web en Aternity en versiones anteriores a 9.0.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de (1) HTTPAgent, (2) MacAgent, (3) getExternalURL o (4) RetrieveTrustedUrl p\u00e1gina."}], "lastModified": "2017-04-10T01:59:00.363", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:aternity:aternity:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "855D892C-F382-4A68-8FF1-9EDA399D8581", "versionEndIncluding": "9.0"}], "operator": "OR"}]}], "sourceIdentifier": "cret@cert.org"}