CVE-2016-8627 : admin-cli before versions 3.0.0.alpha25, 2.2.1.cr2 is vulnerable to an EAP featu

admin-cli before versions 3.0.0.alpha25, 2.2.1.cr2 is vulnerable to an EAP feature to download server log files that allows logs to be available via GET requests making them vulnerable to cross-origin attacks. An attacker could trigger the user's browser to request the log files consuming enough resources that normal server functioning could be impaired.

Published 2018-05-11 13:29:00

Updated 2019-10-09 23:20:06

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2016-8627

Redhat » Jboss Enterprise Application Platform » Version: 6.4.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 7.0.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 7.1.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*
Matching versions
Redhat » Keycloak » Version: N/A
cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2016-8627

Top countries where our scanners detected CVE-2016-8627

Top open port discovered on systems with this issue 80

IPs affected by CVE-2016-8627 370

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2016-8627!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2016-8627

EPSS FAQ

0.80%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 72 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-8627

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	Red Hat, Inc.
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
6.5	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High
4.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L	2.8	1.4	Red Hat, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2016-8627

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2016-8627

http://rhn.redhat.com/errata/RHSA-2017-0244.html

RHSA-2017:0244 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2017-0173.html

RHSA-2017:0173 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1037660

Red Hat JBoss Enterprise Application Platform Server Log Download Lets Remote Users Deny Service - SecurityTracker
Third Party Advisory;VDB Entry
http://rhn.redhat.com/errata/RHSA-2017-0250.html

RHSA-2017:0250 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:3458

RHSA-2017:3458 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2017-0247.html

RHSA-2017:0247 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2017-0245.html

RHSA-2017:0245 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/95698

Red Hat JBoss Enterprise Application Platform CVE-2016-8627 Remote Denial of Service Vulnerability
Third Party Advisory;VDB Entry
http://rhn.redhat.com/errata/RHSA-2017-0172.html

RHSA-2017:0172 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2017-0171.html

RHSA-2017:0171 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:3456

RHSA-2017:3456 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8627

1388240 – (CVE-2016-8627) CVE-2016-8627 admin-cli: Potential EAP resource starvation DOS attack via GET requests for server log files
Issue Tracking;Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3455

RHSA-2017:3455 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2017-0170.html

RHSA-2017:0170 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2017-0246.html

RHSA-2017:0246 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:3454

RHSA-2017:3454 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url