Cross-Site Request Forgery Vulnerability in Apache Brooklyn REST Server
CVE-2016-8737

8.8HIGH

Key Information:

Vendor

Apache
Status
Apache Brooklyn
Vendor
CVE Published:
13 September 2017

What is CVE-2016-8737?

In Apache Brooklyn prior to version 0.10.0, a security vulnerability exists in the REST server that is susceptible to cross-site request forgery (CSRF). This flaw allows malicious websites to craft links capable of executing unwanted commands on the server while a user is logged in. If a user unwittingly clicks on such a link, the attacker's commands may be executed with the user's privileges. A proof-of-concept exploit for this vulnerability is publicly available, underscoring the importance of patching affected versions.

Affected Version(s)

Apache Brooklyn 0.9.0 and all prior versions

References

https://brooklyn.apache.org/community/security/CVE-2016-8...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/96228
vdb-entryx_refsource_BID
https://lists.apache.org/thread.html/877813aaaa0e636adbc3...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.