Search criteria
9 vulnerabilities found for brooklyn by apache
FKIE_CVE-2016-8737
Vulnerability from fkie_nvd - Published: 2017-09-13 16:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker's commands as the user. There is known to be a proof-of-concept exploit using this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:brooklyn:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37F4D23C-1126-43D6-9C86-706C0B6D38D1",
"versionEndIncluding": "0.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker\u0027s commands as the user. There is known to be a proof-of-concept exploit using this vulnerability."
},
{
"lang": "es",
"value": "En las versiones anteriores a la 0.10.0 de Apache Brooklyn, el servidor REST es vulnerable a Cross-Site Request Forgery (CSRF), lo que podr\u00eda permitir que una p\u00e1gina web maliciosa produzca un enlace que provocar\u00eda que el servidor ejecute los comandos del atacante como el usuario si se accede a \u00e9l cuando un usuario tiene iniciada su sesi\u00f3n en Brooklyn. Se sabe que existe un exploit a modo de prueba de concepto que utiliza esta vulnerabilidad."
}
],
"id": "CVE-2016-8737",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-13T16:29:00.370",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"source": "security@apache.org",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953%40%3Cdev.brooklyn.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953%40%3Cdev.brooklyn.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-8744
Vulnerability from fkie_nvd - Published: 2017-09-13 16:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:brooklyn:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37F4D23C-1126-43D6-9C86-706C0B6D38D1",
"versionEndIncluding": "0.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability."
},
{
"lang": "es",
"value": "Apache Brooklyn utiliza la librer\u00eda SnakeYAML para analizar sint\u00e1cticamente los valores de entrada en YAML. SnakeYAML permite el uso de etiquetas YAML para indicar que esta librer\u00eda deber\u00eda deserializar datos para tipo Java. En la configuraci\u00f3n por defecto en Brooklyn en versiones anteriores a la 0.10.0, SnakeYAML permite deserializar cualquier tipo de Java disponible en el classpath. Esto podr\u00eda proporcionar a un usuario autenticado los medios para hacer que la m\u00e1quina virtual Java que est\u00e1 ejecutando Brooklyn cargue y ejecute c\u00f3digo Java sin que Brooklyn lo detecte. Ese c\u00f3digo tendr\u00eda los privilegios del proceso Java que ejecuta Brooklyn, incluida la capacidad de abrir archivos y conexiones de red y ejecutar comandos del sistema. Se sabe que existe un exploit a modo de prueba de concepto que utiliza esta vulnerabilidad."
}
],
"id": "CVE-2016-8744",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-13T16:29:00.400",
"references": [
{
"source": "security@apache.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761%40%3Cdev.brooklyn.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761%40%3Cdev.brooklyn.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-3165
Vulnerability from fkie_nvd - Published: 2017-09-13 16:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:brooklyn:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37F4D23C-1126-43D6-9C86-706C0B6D38D1",
"versionEndIncluding": "0.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user\u0027s resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability."
},
{
"lang": "es",
"value": "En Apache Brooklyn en versiones anteriores a la 0.10.0, el servidor REST es vulnerable a Cross-Site Scripting (XSS) en el cual un usuario autenticado puede hacer que los scripts se ejecuten en el navegador de otro usuario autorizado para acceder a los recursos del primer usuario. Esto se debe al escape incorrecto del contenido del lado del servidor. Se sabe que existe un exploit a modo de prueba de concepto que emplea esta vulnerabilidad."
}
],
"id": "CVE-2017-3165",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-13T16:29:00.540",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"source": "security@apache.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c%40%3Cdev.brooklyn.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c%40%3Cdev.brooklyn.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2016-8737 (GCVE-0-2016-8737)
Vulnerability from cvelistv5 – Published: 2017-09-13 16:00 – Updated: 2024-09-17 03:34
VLAI?
Summary
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker's commands as the user. There is known to be a proof-of-concept exploit using this vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-site request forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Brooklyn |
Affected:
0.9.0 and all prior versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:27:41.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953%40%3Cdev.brooklyn.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Brooklyn",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.9.0 and all prior versions"
}
]
}
],
"datePublic": "2017-02-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker\u0027s commands as the user. There is known to be a proof-of-concept exploit using this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-14T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953%40%3Cdev.brooklyn.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-02-10T00:00:00",
"ID": "CVE-2016-8737",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Brooklyn",
"version": {
"version_data": [
{
"version_value": "0.9.0 and all prior versions"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker\u0027s commands as the user. There is known to be a proof-of-concept exploit using this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html",
"refsource": "CONFIRM",
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"name": "96228",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953@%3Cdev.brooklyn.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8737",
"datePublished": "2017-09-13T16:00:00Z",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-09-17T03:34:06.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8744 (GCVE-0-2016-8744)
Vulnerability from cvelistv5 – Published: 2017-09-13 16:00 – Updated: 2024-09-16 18:09
VLAI?
Summary
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability.
Severity ?
No CVSS data available.
CWE
- Remote code execution
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Brooklyn |
Affected:
0.9.0 and all prior versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:34:59.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761%40%3Cdev.brooklyn.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Brooklyn",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.9.0 and all prior versions"
}
]
}
],
"datePublic": "2017-02-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-13T15:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761%40%3Cdev.brooklyn.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-02-10T00:00:00",
"ID": "CVE-2016-8744",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Brooklyn",
"version": {
"version_data": [
{
"version_value": "0.9.0 and all prior versions"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html",
"refsource": "CONFIRM",
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761@%3Cdev.brooklyn.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8744",
"datePublished": "2017-09-13T16:00:00Z",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-09-16T18:09:23.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-3165 (GCVE-0-2017-3165)
Vulnerability from cvelistv5 – Published: 2017-09-13 16:00 – Updated: 2024-09-16 18:54
VLAI?
Summary
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Brooklyn |
Affected:
0.9.0 and all prior versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:16:28.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c%40%3Cdev.brooklyn.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Brooklyn",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.9.0 and all prior versions"
}
]
}
],
"datePublic": "2017-02-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user\u0027s resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-14T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c%40%3Cdev.brooklyn.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-02-10T00:00:00",
"ID": "CVE-2017-3165",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Brooklyn",
"version": {
"version_data": [
{
"version_value": "0.9.0 and all prior versions"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user\u0027s resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "96228",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html",
"refsource": "CONFIRM",
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c@%3Cdev.brooklyn.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-3165",
"datePublished": "2017-09-13T16:00:00Z",
"dateReserved": "2016-12-05T00:00:00",
"dateUpdated": "2024-09-16T18:54:35.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8737 (GCVE-0-2016-8737)
Vulnerability from nvd – Published: 2017-09-13 16:00 – Updated: 2024-09-17 03:34
VLAI?
Summary
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker's commands as the user. There is known to be a proof-of-concept exploit using this vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-site request forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Brooklyn |
Affected:
0.9.0 and all prior versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:27:41.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953%40%3Cdev.brooklyn.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Brooklyn",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.9.0 and all prior versions"
}
]
}
],
"datePublic": "2017-02-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker\u0027s commands as the user. There is known to be a proof-of-concept exploit using this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-14T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953%40%3Cdev.brooklyn.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-02-10T00:00:00",
"ID": "CVE-2016-8737",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Brooklyn",
"version": {
"version_data": [
{
"version_value": "0.9.0 and all prior versions"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker\u0027s commands as the user. There is known to be a proof-of-concept exploit using this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html",
"refsource": "CONFIRM",
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8737.html"
},
{
"name": "96228",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953@%3Cdev.brooklyn.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8737",
"datePublished": "2017-09-13T16:00:00Z",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-09-17T03:34:06.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8744 (GCVE-0-2016-8744)
Vulnerability from nvd – Published: 2017-09-13 16:00 – Updated: 2024-09-16 18:09
VLAI?
Summary
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability.
Severity ?
No CVSS data available.
CWE
- Remote code execution
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Brooklyn |
Affected:
0.9.0 and all prior versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:34:59.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761%40%3Cdev.brooklyn.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Brooklyn",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.9.0 and all prior versions"
}
]
}
],
"datePublic": "2017-02-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-13T15:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761%40%3Cdev.brooklyn.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-02-10T00:00:00",
"ID": "CVE-2016-8744",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Brooklyn",
"version": {
"version_data": [
{
"version_value": "0.9.0 and all prior versions"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html",
"refsource": "CONFIRM",
"url": "https://brooklyn.apache.org/community/security/CVE-2016-8744.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/3f4d09c1c1a3cdfd1da0a05c8362769b917c078eed5b6c2f8e37a761@%3Cdev.brooklyn.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8744",
"datePublished": "2017-09-13T16:00:00Z",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-09-16T18:09:23.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-3165 (GCVE-0-2017-3165)
Vulnerability from nvd – Published: 2017-09-13 16:00 – Updated: 2024-09-16 18:54
VLAI?
Summary
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Brooklyn |
Affected:
0.9.0 and all prior versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:16:28.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c%40%3Cdev.brooklyn.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Brooklyn",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.9.0 and all prior versions"
}
]
}
],
"datePublic": "2017-02-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user\u0027s resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-14T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "96228",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96228"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c%40%3Cdev.brooklyn.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-02-10T00:00:00",
"ID": "CVE-2017-3165",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Brooklyn",
"version": {
"version_data": [
{
"version_value": "0.9.0 and all prior versions"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user\u0027s resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "96228",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96228"
},
{
"name": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html",
"refsource": "CONFIRM",
"url": "https://brooklyn.apache.org/community/security/CVE-2017-3165.html"
},
{
"name": "[dev] 20170210 [SECURITY] CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c@%3Cdev.brooklyn.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-3165",
"datePublished": "2017-09-13T16:00:00Z",
"dateReserved": "2016-12-05T00:00:00",
"dateUpdated": "2024-09-16T18:54:35.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}