Vulnerability Details : CVE-2016-9606
JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.
Vulnerability category: Input validationExecute code
Products affected by CVE-2016-9606
- cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-9606
1.67%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-9606
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2016-9606
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2016-9606
-
https://access.redhat.com/errata/RHSA-2017:1675
RHSA-2017:1675 - Security Advisory - Red Hat Customer PortalBroken Link;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1411
RHSA-2017:1411 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1260
RHSA-2017:1260 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2017-1255.html
RHSA-2017:1255 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1254
RHSA-2017:1254 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2017-1409.html
RHSA-2017:1409 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1412
RHSA-2017:1412 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1253
RHSA-2017:1253 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1400644
1400644 – (CVE-2016-9606) CVE-2016-9606 Resteasy: Yaml unmarshalling vulnerable to RCEIssue Tracking;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:2913
RHSA-2018:2913 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2018:2909
RHSA-2018:2909 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/94940
Resteasy CVE-2016-9606 Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2017:1256
RHSA-2017:1256 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1676
RHSA-2017:1676 - Security Advisory - Red Hat Customer PortalBroken Link;Third Party Advisory
-
http://www.securitytracker.com/id/1038524
Red Hat JBoss RESTEasy Unmarshalling Bug Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2017:1410
RHSA-2017:1410 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to