CVE-2016-6330

The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737.

Published: Sep 27, 2016
Updated: Nov 8, 2023
CVE: CVE-2016-6330
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:N/C:P/I:P/A:C

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
redhat / jboss_operations_network	3.0	3.0.x
redhat / jboss_operations_network	3.3.4	3.3.4.x
redhat / jboss_operations_network	3.3.5	3.3.5.x
redhat / jboss_operations_network	3.1	3.1.x
redhat / jboss_operations_network	3.3.2	3.3.2.x
redhat / jboss_operations_network	3.2.0	3.2.0.x
redhat / jboss_operations_network	3.2.2	3.2.2.x
redhat / jboss_operations_network	3.0.1	3.0.1.x
redhat / jboss_operations_network	3.2.3	3.2.3.x
redhat / jboss_operations_network	3.1.2	3.1.2.x
redhat / jboss_operations_network	3.3.1	3.3.1.x
redhat / jboss_operations_network	3.2.1	3.2.1.x
redhat / jboss_operations_network	3.1.1	3.1.1.x
redhat / jboss_operations_network	3.3.6	3.3.6.x
redhat / jboss_operations_network	3.1.4	3.1.4.x
redhat / jboss_operations_network	3.3.3	3.3.3.x

Vulnerability Database

289,599

CVE-2016-6330