Main Vulnerability Database SB2017052201

SB2017052201 - Remote code execution in Red Hat JBoss RESTEasy

Published: May 22, 2017 Updated: May 26, 2017

Security Bulletin ID SB2017052201

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper input validation (CVE-ID: CVE-2016-9606)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.

The weakness exists due to improper parsing of user-supplied requests. A remote attacker can submit a specially crafted request, which when parsed by the YamlProvider feature of the affected application allows to execute arbitrary code with the permissions of the application using RESTEasy.

Successful exploitation of the vulnerability may result in full system compromise.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/security/cve/CVE-2016-9606