CVE-2016-5422
JON3: privilege escalation via improper authorization
Severity Score
8.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The web console in Red Hat JBoss Operations Network (JON) before 3.3.7 does not properly authorize requests to add users with the super user role, which allows remote authenticated users to gain admin privileges via a crafted POST request.
La consola web en Red Hat JBoss Operations Network (JON) en versiones anteriores a 3.3.7 no autoriza adecuadamente peticiones para agregar usuarios con el rol de superusuario, lo que permite a usuarios remotos autenticados obtener privilegios de administrador a través de una petición POST manipulada.
It was found that JBoss Operations Network allowed regular users to add a new super user by sending a specially crafted request to the web console. This attacks allows escalation of privileges.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2016-06-10 CVE Reserved
- 2016-08-31 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-285: Improper Authorization
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/92722 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-1785.html | 2016-09-08 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2016-5422 | 2016-08-31 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1361933 | 2016-08-31 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Operations Network Search vendor "Redhat" for product "Jboss Operations Network" | <= 3.3.6 Search vendor "Redhat" for product "Jboss Operations Network" and version " <= 3.3.6" | - |
Affected
| ||||||