CVE-2016-5402

A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as.

CVSS v3 8.8 HIGH
CVSS v2.0 9.0 HIGH

8.8^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2016-2839.html	Vendor Advisory
http://www.securityfocus.com/bid/94612	Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5402	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:cloudforms:4.1:::::::*
	cpe:2.3:a:redhat:cloudforms_management_engine:5.6:::::::*

History

12 Feb 2023, 23:23

Type	Values Removed	Values Added
References	~~{'url': 'https://access.redhat.com/errata/RHSA-2016:2839', 'name': 'https://access.redhat.com/errata/RHSA-2016:2839', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/security/cve/CVE-2016-5402', 'name': 'https://access.redhat.com/security/cve/CVE-2016-5402', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=1357559', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=1357559', 'tags': [], 'refsource': 'MISC'}~~

02 Feb 2023, 15:17

Type	Values Removed	Values Added
References		(MISC) https://access.redhat.com/errata/RHSA-2016:2839 - (MISC) https://access.redhat.com/security/cve/CVE-2016-5402 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1357559 -

Information

Published : 2018-10-31 13:29

Updated : 2023-12-10 12:44

NVD link : CVE-2016-5402

Mitre link : CVE-2016-5402

CVE.ORG link : CVE-2016-5402

JSON object : View

Products Affected

redhat

cloudforms_management_engine
cloudforms

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2016-5402", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2018-10-31T13:29:00.443", "references": [{"url": "http://rhn.redhat.com/errata/RHSA-2016-2839.html", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://www.securityfocus.com/bid/94612", "tags": ["Third Party Advisory", "VDB Entry"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5402", "tags": ["Issue Tracking"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as."}, {"lang": "es", "value": "Se ha encontrado un error de inyecci\u00f3n de c\u00f3digo en la forma en la que se procesan los archivos de control de capacidad y utilizaci\u00f3n importados. Un atacante autenticado remoto con acceso a la caracter\u00edstica de capacidad y utilizaci\u00f3n podr\u00eda emplear este error para ejecutar c\u00f3digo arbitrario como el usuario como el que se ejecuta CFME."}], "lastModified": "2023-02-12T23:23:57.137", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:cloudforms:4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF303B35-7EBD-44D3-90FB-2B6295FCEB86"}, {"criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:5.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1480D433-1DF4-4A5D-A098-E55515133DE8"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}