PT-2018-5035 · Red Hat · Admin-Cli+1

Bharti Kundal

Publicado

2018-05-11

Atualizado

2019-10-09

CVE-2016-8627

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions admin-cli versions prior to 3.0.0.alpha25 admin-cli version 2.2.1.cr2

Description The issue allows an EAP feature to download server log files, making them available via GET requests. This makes the logs vulnerable to cross-origin attacks. An attacker could trigger the user's browser to request the log files, consuming enough resources that normal server functioning could be impaired.

Recommendations For versions prior to 3.0.0.alpha25, update to version 3.0.0.alpha25 or later. For version 2.2.1.cr2, consider disabling the EAP feature that allows downloading server log files until a patch is available. Restrict access to server log files to minimize the risk of exploitation.

Correção

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-400

Identificadores relacionados

CVE-2016-8627

RHSA-2017:0170

RHSA-2017:0171

RHSA-2017:0173

RHSA-2017:0244

RHSA-2017:0245

RHSA-2017:0246

RHSA-2017:0250

RHSA-2017:3454

RHSA-2017:3455

RHSA-2017:3458

Produtos afetados

Keycloak

Admin-Cli

PT-2018-5035 · Red Hat · Admin-Cli+1

CVE-2016-8627

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 19