Improper input validation in JBoss RESTEasy - CVE-2016-9606
Published: May 22, 2017
Vulnerability identifier: #VU6611
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-9606
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Red Hat Inc.
Affected software:
JBoss RESTEasy
JBoss RESTEasy
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.
The weakness exists due to improper parsing of user-supplied requests. A remote attacker can submit a specially crafted request, which when parsed by the YamlProvider feature of the affected application allows to execute arbitrary code with the permissions of the application using RESTEasy.
Successful exploitation of the vulnerability may result in full system compromise.
The weakness exists due to improper parsing of user-supplied requests. A remote attacker can submit a specially crafted request, which when parsed by the YamlProvider feature of the affected application allows to execute arbitrary code with the permissions of the application using RESTEasy.
Successful exploitation of the vulnerability may result in full system compromise.
How to mitigate CVE-2016-9606
Update to version 3.1.2 and 3.0.22.