Search criteria
8 vulnerabilities found for Apache Brooklyn by Apache Software Foundation
CVE-2016-8744 (GCVE-0-2016-8744)
Vulnerability from cvelistv5 – Published: 2017-09-13 16:00 – Updated: 2024-09-16 18:09
VLAI?
Summary
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability.
Severity ?
No CVSS data available.
CWE
- Remote code execution
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Brooklyn |
Affected:
0.9.0 and all prior versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:34:59.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761%40%3Cdev.brooklyn.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Brooklyn",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.9.0 and all prior versions"
}
]
}
],
"datePublic": "2017-02-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-13T15:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761%40%3Cdev.brooklyn.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-02-10T00:00:00",
"ID": "CVE-2016-8744",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Brooklyn",
"version": {
"version_data": [
{
"version_value": "0.9.0 and all prior versions"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html",
"refsource": "CONFIRM",
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761@%3Cdev.brooklyn.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8744",
"datePublished": "2017-09-13T16:00:00Z",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-09-16T18:09:23.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-3165 (GCVE-0-2017-3165)
Vulnerability from cvelistv5 – Published: 2017-09-13 16:00 – Updated: 2024-09-16 18:54
VLAI?
Summary
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Brooklyn |
Affected:
0.9.0 and all prior versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:16:28.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c%40%3Cdev.brooklyn.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Brooklyn",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.9.0 and all prior versions"
}
]
}
],
"datePublic": "2017-02-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user\u0027s resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-14T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c%40%3Cdev.brooklyn.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-02-10T00:00:00",
"ID": "CVE-2017-3165",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Brooklyn",
"version": {
"version_data": [
{
"version_value": "0.9.0 and all prior versions"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user\u0027s resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "96228",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html",
"refsource": "CONFIRM",
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c@%3Cdev.brooklyn.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-3165",
"datePublished": "2017-09-13T16:00:00Z",
"dateReserved": "2016-12-05T00:00:00",
"dateUpdated": "2024-09-16T18:54:35.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8737 (GCVE-0-2016-8737)
Vulnerability from cvelistv5 – Published: 2017-09-13 16:00 – Updated: 2024-09-17 03:34
VLAI?
Summary
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker's commands as the user. There is known to be a proof-of-concept exploit using this vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-site request forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Brooklyn |
Affected:
0.9.0 and all prior versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:27:41.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953%40%3Cdev.brooklyn.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Brooklyn",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.9.0 and all prior versions"
}
]
}
],
"datePublic": "2017-02-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker\u0027s commands as the user. There is known to be a proof-of-concept exploit using this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-14T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953%40%3Cdev.brooklyn.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-02-10T00:00:00",
"ID": "CVE-2016-8737",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Brooklyn",
"version": {
"version_data": [
{
"version_value": "0.9.0 and all prior versions"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker\u0027s commands as the user. There is known to be a proof-of-concept exploit using this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html",
"refsource": "CONFIRM",
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"name": "96228",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953@%3Cdev.brooklyn.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8737",
"datePublished": "2017-09-13T16:00:00Z",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-09-17T03:34:06.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8744 (GCVE-0-2016-8744)
Vulnerability from nvd – Published: 2017-09-13 16:00 – Updated: 2024-09-16 18:09
VLAI?
Summary
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability.
Severity ?
No CVSS data available.
CWE
- Remote code execution
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Brooklyn |
Affected:
0.9.0 and all prior versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:34:59.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761%40%3Cdev.brooklyn.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Brooklyn",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.9.0 and all prior versions"
}
]
}
],
"datePublic": "2017-02-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-13T15:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761%40%3Cdev.brooklyn.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-02-10T00:00:00",
"ID": "CVE-2016-8744",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Brooklyn",
"version": {
"version_data": [
{
"version_value": "0.9.0 and all prior versions"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html",
"refsource": "CONFIRM",
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761@%3Cdev.brooklyn.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8744",
"datePublished": "2017-09-13T16:00:00Z",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-09-16T18:09:23.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-3165 (GCVE-0-2017-3165)
Vulnerability from nvd – Published: 2017-09-13 16:00 – Updated: 2024-09-16 18:54
VLAI?
Summary
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Brooklyn |
Affected:
0.9.0 and all prior versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:16:28.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c%40%3Cdev.brooklyn.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Brooklyn",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.9.0 and all prior versions"
}
]
}
],
"datePublic": "2017-02-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user\u0027s resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-14T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c%40%3Cdev.brooklyn.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-02-10T00:00:00",
"ID": "CVE-2017-3165",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Brooklyn",
"version": {
"version_data": [
{
"version_value": "0.9.0 and all prior versions"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user\u0027s resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "96228",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html",
"refsource": "CONFIRM",
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c@%3Cdev.brooklyn.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-3165",
"datePublished": "2017-09-13T16:00:00Z",
"dateReserved": "2016-12-05T00:00:00",
"dateUpdated": "2024-09-16T18:54:35.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8737 (GCVE-0-2016-8737)
Vulnerability from nvd – Published: 2017-09-13 16:00 – Updated: 2024-09-17 03:34
VLAI?
Summary
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker's commands as the user. There is known to be a proof-of-concept exploit using this vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-site request forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Brooklyn |
Affected:
0.9.0 and all prior versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:27:41.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953%40%3Cdev.brooklyn.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Brooklyn",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.9.0 and all prior versions"
}
]
}
],
"datePublic": "2017-02-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker\u0027s commands as the user. There is known to be a proof-of-concept exploit using this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-14T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953%40%3Cdev.brooklyn.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-02-10T00:00:00",
"ID": "CVE-2016-8737",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Brooklyn",
"version": {
"version_data": [
{
"version_value": "0.9.0 and all prior versions"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker\u0027s commands as the user. There is known to be a proof-of-concept exploit using this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html",
"refsource": "CONFIRM",
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"name": "96228",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953@%3Cdev.brooklyn.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8737",
"datePublished": "2017-09-13T16:00:00Z",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-09-17T03:34:06.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
JVNDB-2017-000026
Vulnerability from jvndb - Published: 2017-02-15 16:20 - Updated:2018-03-07 14:35
Severity ?
Summary
Apache Brooklyn vulnerable to cross-site request forgery
Details
Apache Brooklyn is a framework for modeling, monitoring, and managing applications. Apache Brooklyn contains a cross-site request forgery vulnerability.
It is known that proof-of-concept code to exploit these vulnerabilties exist.
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000026.html",
"dc:date": "2018-03-07T14:35+09:00",
"dcterms:issued": "2017-02-15T16:20+09:00",
"dcterms:modified": "2018-03-07T14:35+09:00",
"description": "Apache Brooklyn is a framework for modeling, monitoring, and managing applications. Apache Brooklyn contains a cross-site request forgery vulnerability.\r\nIt is known that proof-of-concept code to exploit these vulnerabilties exist.\r\n\r\nToshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000026.html",
"sec:cpe": {
"#text": "cpe:/a:apache:brooklyn",
"@product": "Apache Brooklyn",
"@vendor": "Apache Software Foundation",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2017-000026",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN55489964/index.html",
"@id": "JVN#55489964",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8737",
"@id": "CVE-2016-8737",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2016-8737",
"@id": "CVE-2016-8737",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-352",
"@title": "Cross-Site Request Forgery(CWE-352)"
}
],
"title": "Apache Brooklyn vulnerable to cross-site request forgery"
}
JVNDB-2017-000025
Vulnerability from jvndb - Published: 2017-02-15 16:20 - Updated:2017-02-15 16:20
Severity ?
Summary
Apache Brooklyn vulnerable to cross-site scripting
Details
Apache Brooklyn is a framework for modeling, monitoring, and managing applications. Apache Brooklyn contains cross-site scripting vulnerabilities.
It is known that proof-of-concept code to exploit these vulnerabilties exist.
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000025.html",
"dc:date": "2017-02-15T16:20+09:00",
"dcterms:issued": "2017-02-15T16:20+09:00",
"dcterms:modified": "2017-02-15T16:20+09:00",
"description": "Apache Brooklyn is a framework for modeling, monitoring, and managing applications. Apache Brooklyn contains cross-site scripting vulnerabilities.\r\nIt is known that proof-of-concept code to exploit these vulnerabilties exist.\r\n\r\nToshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000025.html",
"sec:cpe": {
"#text": "cpe:/a:apache:brooklyn",
"@product": "Apache Brooklyn",
"@vendor": "Apache Software Foundation",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "3.5",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "5.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2017-000025",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN55489964/index.html",
"@id": "JVN#55489964",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3165",
"@id": "CVE-2017-3165",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8737",
"@id": "CVE-2016-8737",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2016-8737",
"@id": "CVE-2016-8737",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-3165",
"@id": "CVE-2017-3165",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Apache Brooklyn vulnerable to cross-site scripting"
}