CVE-2016-6330
https://notcve.org/view.php?id=CVE-2016-6330
The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737. El servidor en Red Hat JBoss Operations Network (JON), cuando la autenticación SSL no está configurada para comunicación de agente servidor JON, permite a atacantes remotos ejecutar código arbitrario a través de una petición HTTP manipulada, relacionado con deserialización de mensajes. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2016-3737. • http://www.securityfocus.com/bid/92568 https://bugzilla.redhat.com/show_bug.cgi?id=1368864 https://www.tenable.com/security/research/tra-2016-22 • CWE-502: Deserialization of Untrusted Data •
CVE-2016-5422 – JON3: privilege escalation via improper authorization
https://notcve.org/view.php?id=CVE-2016-5422
The web console in Red Hat JBoss Operations Network (JON) before 3.3.7 does not properly authorize requests to add users with the super user role, which allows remote authenticated users to gain admin privileges via a crafted POST request. La consola web en Red Hat JBoss Operations Network (JON) en versiones anteriores a 3.3.7 no autoriza adecuadamente peticiones para agregar usuarios con el rol de superusuario, lo que permite a usuarios remotos autenticados obtener privilegios de administrador a través de una petición POST manipulada. It was found that JBoss Operations Network allowed regular users to add a new super user by sending a specially crafted request to the web console. This attacks allows escalation of privileges. • http://rhn.redhat.com/errata/RHSA-2016-1785.html http://www.securityfocus.com/bid/92722 https://access.redhat.com/security/cve/CVE-2016-5422 https://bugzilla.redhat.com/show_bug.cgi?id=1361933 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •
CVE-2016-3737
https://notcve.org/view.php?id=CVE-2016-3737
The server in Red Hat JBoss Operations Network (JON) before 3.3.6 allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. El servidor en Red Hat JBoss Operations Network (JON) en versiones anteriores a 3.3.6 permite a atacantes remotos ejecutar código arbitrario a traves una petición HTTP manipulada, relacionado con deserialización de mensaje. • http://rhn.redhat.com/errata/RHSA-2016-1519.html http://www.securitytracker.com/id/1036507 https://bugzilla.redhat.com/show_bug.cgi?id=1333618 https://www.tenable.com/security/research/tra-2016-22 • CWE-20: Improper Input Validation •
CVE-2015-3267 – JON: Cross Site scripting possible on the JBoss ON 404 error page
https://notcve.org/view.php?id=CVE-2015-3267
Cross-site scripting (XSS) vulnerability in the 404 error page in Red Hat JBoss Operations Network before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Vulnerabilidad de XSS en la página de error 404 en Red Hat JBoss Operations Network en versiones anteriores a 3.3.3, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URL manipulada. It was discovered that a cross-site scripting (XSS) vulnerability on a JBoss Operations Network 404 error page allowed for session fixation attacks. An attacker could use this flaw to impersonate a legitimate user, resulting in compromised integrity of secure data. • http://rhn.redhat.com/errata/RHSA-2015-1525.html http://www.securityfocus.com/bid/76335 http://www.securitytracker.com/id/1033136 https://access.redhat.com/security/cve/CVE-2015-3267 https://bugzilla.redhat.com/show_bug.cgi?id=1237155 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-4452 – ON: World readable configuration files expose sensitive data
https://notcve.org/view.php?id=CVE-2013-4452
Red Hat JBoss Operations Network 3.1.2 uses world-readable permissions for the (1) server and (2) agent configuration files, which allows local users to obtain authentication credentials and other unspecified sensitive information by reading these files. Red Hat JBoss Operations Network 3.1.2 utiliza permisos de lectura globales para ficheros de configuración de (1) servidor y (2) agente, lo cual permite a usuarios locales obtener credenciales de autenticación y otra información sensible no especificada mediante la lectura de dichos ficheros. • http://rhn.redhat.com/errata/RHSA-2013-1762.html http://secunia.com/advisories/55852 http://www.securityfocus.com/bid/63916 http://www.securitytracker.com/id/1029390 https://access.redhat.com/security/cve/CVE-2013-4452 https://bugzilla.redhat.com/show_bug.cgi?id=1021756 • CWE-264: Permissions, Privileges, and Access Controls •