cvelistv5 - cve-2016-5422

CVE-2016-5422 (GCVE-0-2016-5422)

Vulnerability from cvelistv5 – Published: 2016-09-07 19:00 – Updated: 2024-08-06 01:00

Summary

The web console in Red Hat JBoss Operations Network (JON) before 3.3.7 does not properly authorize requests to add users with the super user role, which allows remote authenticated users to gain admin privileges via a crafted POST request.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

GSD-2016-5422

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2016-5422

Aliases

CVE-2016-5422

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-5422",
    "description": "The web console in Red Hat JBoss Operations Network (JON) before 3.3.7 does not properly authorize requests to add users with the super user role, which allows remote authenticated users to gain admin privileges via a crafted POST request.",
    "id": "GSD-2016-5422",
    "references": [
      "https://access.redhat.com/errata/RHSA-2016:1785"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-5422"
      ],
      "details": "The web console in Red Hat JBoss Operations Network (JON) before 3.3.7 does not properly authorize requests to add users with the super user role, which allows remote authenticated users to gain admin privileges via a crafted POST request.",
      "id": "GSD-2016-5422",
      "modified": "2023-12-13T01:21:25.771550Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2016-5422",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The web console in Red Hat JBoss Operations Network (JON) before 3.3.7 does not properly authorize requests to add users with the super user role, which allows remote authenticated users to gain admin privileges via a crafted POST request."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2016-1785.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1785.html"
          },
          {
            "name": "http://www.securityfocus.com/bid/92722",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/bid/92722"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.3.6",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-5422"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The web console in Red Hat JBoss Operations Network (JON) before 3.3.7 does not properly authorize requests to add users with the super user role, which allows remote authenticated users to gain admin privileges via a crafted POST request."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-264"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:1785",
              "refsource": "REDHAT",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1785.html"
            },
            {
              "name": "92722",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/92722"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2016-09-08T17:08Z",
      "publishedDate": "2016-09-07T19:28Z"
    }
  }
}

RHSA-2016_1785

Vulnerability from csaf_redhat - Published: 2016-08-31 16:58 - Updated: 2024-11-22 10:19

Summary

Red Hat Security Advisory: Red Hat JBoss Operations Network 3.3.7 security and bug fix update

Notes

Topic

An update is now available for Red Hat JBoss Operations Network. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss Operations Network 3.3.7 release serves as a replacement for JBoss Operations Network 3.3.6, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes. Security Fix(es): * It was found that JBoss Operations Network allowed regular users to add a new super user by sending a specially crafted request to the web console. This attacks allows escalation of privileges. (CVE-2016-5422) This issue was discovered by Jeremy Choi (Red Hat Product Security). Before applying this update, back up your existing JBoss Operations Network installation (including its databases, applications, configuration files, the JBoss Operations Network server's file system directory, and so on).

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat JBoss Operations Network.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Operations Network is a Middleware management solution that\nprovides a single point of control to deploy, manage, and monitor JBoss\nEnterprise Middleware, applications, and services.\n\nThis JBoss Operations Network 3.3.7 release serves as a replacement for\nJBoss Operations Network 3.3.6, and includes several bug fixes. Refer to\nthe Customer Portal page linked in the References section for information\non the most significant of these changes.\n\nSecurity Fix(es):\n\n* It was found that JBoss Operations Network allowed regular users to add a\nnew super user by sending a specially crafted request to the web console.\nThis attacks allows escalation of privileges. (CVE-2016-5422)\n\nThis issue was discovered by Jeremy Choi (Red Hat Product Security).\n\nBefore applying this update, back up your existing JBoss Operations Network\ninstallation (including its databases, applications, configuration files,\nthe JBoss Operations Network server\u0027s file system directory, and so on).",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:1785",
        "url": "https://access.redhat.com/errata/RHSA-2016:1785"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.3",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.3"
      },
      {
        "category": "external",
        "summary": "1301970",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1301970"
      },
      {
        "category": "external",
        "summary": "1359002",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1359002"
      },
      {
        "category": "external",
        "summary": "1361933",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1361933"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_1785.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Operations Network 3.3.7 security and bug fix update",
    "tracking": {
      "current_release_date": "2024-11-22T10:19:12+00:00",
      "generator": {
        "date": "2024-11-22T10:19:12+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2016:1785",
      "initial_release_date": "2016-08-31T16:58:53+00:00",
      "revision_history": [
        {
          "date": "2016-08-31T16:58:53+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2017-09-05T12:48:45+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T10:19:12+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Operations Network 3.3",
                "product": {
                  "name": "Red Hat JBoss Operations Network 3.3",
                  "product_id": "Red Hat JBoss Operations Network 3.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_operations_network:3.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Operations Network"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Jeremy Choi"
          ],
          "organization": "Red Hat Product Security Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2016-5422",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "discovery_date": "2016-08-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1361933"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that JBoss Operations Network allowed regular users to add a new super user by sending a specially crafted request to the web console. This attacks allows escalation of privileges.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "JON3: privilege escalation via improper authorization",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Operations Network 3.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-5422"
        },
        {
          "category": "external",
          "summary": "RHBZ#1361933",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1361933"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-5422",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-5422"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-5422",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5422"
        }
      ],
      "release_date": "2016-08-31T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-08-31T16:58:53+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server\u0027s\nfile system directory, and so on).\n\nRefer to the JBoss Operations Network 3.3.7 Release Notes for\ninstallation information.",
          "product_ids": [
            "Red Hat JBoss Operations Network 3.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1785"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Operations Network 3.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "JON3: privilege escalation via improper authorization"
    }
  ]
}

RHSA-2016:1785

Vulnerability from csaf_redhat - Published: 2016-08-31 16:58 - Updated: 2025-11-21 17:57

Summary

Red Hat Security Advisory: Red Hat JBoss Operations Network 3.3.7 security and bug fix update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat JBoss Operations Network.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Operations Network is a Middleware management solution that\nprovides a single point of control to deploy, manage, and monitor JBoss\nEnterprise Middleware, applications, and services.\n\nThis JBoss Operations Network 3.3.7 release serves as a replacement for\nJBoss Operations Network 3.3.6, and includes several bug fixes. Refer to\nthe Customer Portal page linked in the References section for information\non the most significant of these changes.\n\nSecurity Fix(es):\n\n* It was found that JBoss Operations Network allowed regular users to add a\nnew super user by sending a specially crafted request to the web console.\nThis attacks allows escalation of privileges. (CVE-2016-5422)\n\nThis issue was discovered by Jeremy Choi (Red Hat Product Security).\n\nBefore applying this update, back up your existing JBoss Operations Network\ninstallation (including its databases, applications, configuration files,\nthe JBoss Operations Network server\u0027s file system directory, and so on).",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:1785",
        "url": "https://access.redhat.com/errata/RHSA-2016:1785"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.3",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.3"
      },
      {
        "category": "external",
        "summary": "1301970",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1301970"
      },
      {
        "category": "external",
        "summary": "1359002",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1359002"
      },
      {
        "category": "external",
        "summary": "1361933",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1361933"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_1785.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Operations Network 3.3.7 security and bug fix update",
    "tracking": {
      "current_release_date": "2025-11-21T17:57:23+00:00",
      "generator": {
        "date": "2025-11-21T17:57:23+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2016:1785",
      "initial_release_date": "2016-08-31T16:58:53+00:00",
      "revision_history": [
        {
          "date": "2016-08-31T16:58:53+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2017-09-05T12:48:45+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:57:23+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Operations Network 3.3",
                "product": {
                  "name": "Red Hat JBoss Operations Network 3.3",
                  "product_id": "Red Hat JBoss Operations Network 3.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_operations_network:3.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Operations Network"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Jeremy Choi"
          ],
          "organization": "Red Hat Product Security Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2016-5422",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "discovery_date": "2016-08-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1361933"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that JBoss Operations Network allowed regular users to add a new super user by sending a specially crafted request to the web console. This attacks allows escalation of privileges.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "JON3: privilege escalation via improper authorization",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Operations Network 3.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-5422"
        },
        {
          "category": "external",
          "summary": "RHBZ#1361933",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1361933"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-5422",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-5422"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-5422",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5422"
        }
      ],
      "release_date": "2016-08-31T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-08-31T16:58:53+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server\u0027s\nfile system directory, and so on).\n\nRefer to the JBoss Operations Network 3.3.7 Release Notes for\ninstallation information.",
          "product_ids": [
            "Red Hat JBoss Operations Network 3.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1785"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Operations Network 3.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "JON3: privilege escalation via improper authorization"
    }
  ]
}

CNVD-2016-07120

Vulnerability from cnvd - Published: 2016-09-04

Title

Red Hat JBoss Operations Network远程权限提升漏洞

Description

Red Hat JBoss Operations Network是一款基于J2EE的开源应用程序服务器，它可部署、管理、监控JBoss企业中间件、应用程序和服务。 Red Hat JBoss Operations Network存在远程权限提升漏洞，允许攻击者利用该漏洞获取权限提升。

Severity

高

Patch Name

Red Hat JBoss Operations Network远程权限提升漏洞的补丁

Patch Description

Red Hat JBoss Operations Network是一款基于J2EE的开源应用程序服务器，它可部署、管理、监控JBoss企业中间件、应用程序和服务。 Red Hat JBoss Operations Network存在远程权限提升漏洞，允许攻击者利用该漏洞获取权限提升。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： https://rhn.redhat.com/errata/RHSA-2016-1785.html

Reference

http://www.securityfocus.com/bid/92722

Impacted products

Name
Red Hat JBoss Operations Network

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "92722"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-5422"
    }
  },
  "description": "Red Hat JBoss Operations Network\u662f\u4e00\u6b3e\u57fa\u4e8eJ2EE\u7684\u5f00\u6e90\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\uff0c\u5b83\u53ef\u90e8\u7f72\u3001\u7ba1\u7406\u3001\u76d1\u63a7JBoss\u4f01\u4e1a\u4e2d\u95f4\u4ef6\u3001\u5e94\u7528\u7a0b\u5e8f\u548c\u670d\u52a1\u3002\r\n\r\nRed Hat JBoss Operations Network\u5b58\u5728\u8fdc\u7a0b\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u6743\u9650\u63d0\u5347\u3002",
  "discovererName": "Jeremy Choi of Red Hat.",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://rhn.redhat.com/errata/RHSA-2016-1785.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-07120",
  "openTime": "2016-09-04",
  "patchDescription": "Red Hat JBoss Operations Network\u662f\u4e00\u6b3e\u57fa\u4e8eJ2EE\u7684\u5f00\u6e90\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\uff0c\u5b83\u53ef\u90e8\u7f72\u3001\u7ba1\u7406\u3001\u76d1\u63a7JBoss\u4f01\u4e1a\u4e2d\u95f4\u4ef6\u3001\u5e94\u7528\u7a0b\u5e8f\u548c\u670d\u52a1\u3002\r\n\r\nRed Hat JBoss Operations Network\u5b58\u5728\u8fdc\u7a0b\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u6743\u9650\u63d0\u5347\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Red Hat JBoss Operations Network\u8fdc\u7a0b\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Red Hat JBoss Operations Network"
  },
  "referenceLink": "http://www.securityfocus.com/bid/92722",
  "serverity": "\u9ad8",
  "submitTime": "2016-09-03",
  "title": "Red Hat JBoss Operations Network\u8fdc\u7a0b\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}

FKIE_CVE-2016-5422

Vulnerability from fkie_nvd - Published: 2016-09-07 19:28 - Updated: 2025-04-12 10:46

Severity ?

8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2016-1785.html	Patch, Vendor Advisory
secalert@redhat.com	http://www.securityfocus.com/bid/92722	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2016-1785.html	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/92722	Third Party Advisory, VDB Entry

Impacted products

	Vendor	Product	Version
	redhat	jboss_operations_network	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_operations_network:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "522D28A2-D89E-41E8-A1A8-3577C86C773B",
              "versionEndIncluding": "3.3.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The web console in Red Hat JBoss Operations Network (JON) before 3.3.7 does not properly authorize requests to add users with the super user role, which allows remote authenticated users to gain admin privileges via a crafted POST request."
    },
    {
      "lang": "es",
      "value": "La consola web en Red Hat JBoss Operations Network (JON) en versiones anteriores a 3.3.7 no autoriza adecuadamente peticiones para agregar usuarios con el rol de superusuario, lo que permite a usuarios remotos autenticados obtener privilegios de administrador a trav\u00e9s de una petici\u00f3n POST manipulada."
    }
  ],
  "id": "CVE-2016-5422",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-09-07T19:28:03.737",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1785.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/92722"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1785.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/92722"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-M8FX-9GM9-PHM3

Vulnerability from github – Published: 2022-05-17 03:49 – Updated: 2022-05-17 03:49

Details

Severity ?

8.8 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2016-5422"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-09-07T19:28:00Z",
    "severity": "HIGH"
  },
  "details": "The web console in Red Hat JBoss Operations Network (JON) before 3.3.7 does not properly authorize requests to add users with the super user role, which allows remote authenticated users to gain admin privileges via a crafted POST request.",
  "id": "GHSA-m8fx-9gm9-phm3",
  "modified": "2022-05-17T03:49:15Z",
  "published": "2022-05-17T03:49:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5422"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1785.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92722"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2016-5422 (GCVE-0-2016-5422)

GSD-2016-5422

RHSA-2016_1785

RHSA-2016:1785

CNVD-2016-07120

FKIE_CVE-2016-5422

GHSA-M8FX-9GM9-PHM3

Tags

Sightings

Nomenclature