Remote Command Execution in HPE Service Manager by HPE
CVE-2016-1998

9.8CRITICAL

Key Information:

Vendor: HP
Status: Service Manager
Vendor: CVE Published:; 22 March 2016

What is CVE-2016-1998?

A vulnerability in HPE Service Manager permits remote attackers to execute arbitrary commands through crafted serialized Java objects. This issue arises due to improper validation within the Apache Commons Collections library, specifically affecting versions 9.3x prior to 9.35 P4 and 9.4x prior to 9.41.P2. Exploitation of this vulnerability can lead to unauthorized access to system resources, compromising the integrity and security of the application and its host environment.

References

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/do...

x_refsource_CONFIRM

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 22, 2016
Vulnerability Reserved
Jan 22, 2016

CVE-2016-1998 Data

JSON