Improper access control in sentry
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-0760 |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
sentry Other software / Other software solutions |
| Vendor | Sentry |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Improper access control
EUVDB-ID: #VU40136
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0760
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
Multiple incomplete blacklist vulnerabilities in Apache Sentry before 1.7.0 allow remote authenticated users to execute arbitrary code via the (1) reflect, (2) reflect2, or (3) java_method Hive builtin functions.
MitigationInstall update from vendor's website.
Vulnerable software versionssentry: 1.5.1 - 1.6.0
External linkshttp://mail-archives.apache.org/mod_mbox/sentry-dev/201608.mbox/%3CCACMN7ixDqDyOZGLEvsMUVHBiJ6crq8zdy%2B2mNfRooNhnk7CJ1g%40mail.gmail.com%3E
http://www.securityfocus.com/bid/92328
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
