PT-2018-5035 · Red Hat · Admin-Cli+1

Bharti Kundal

Published

2018-05-11

Updated

2019-10-09

CVE-2016-8627

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions admin-cli versions prior to 3.0.0.alpha25 admin-cli version 2.2.1.cr2

Description The issue allows an EAP feature to download server log files, making them available via GET requests. This makes the logs vulnerable to cross-origin attacks. An attacker could trigger the user's browser to request the log files, consuming enough resources that normal server functioning could be impaired.

Recommendations For versions prior to 3.0.0.alpha25, update to version 3.0.0.alpha25 or later. For version 2.2.1.cr2, consider disabling the EAP feature that allows downloading server log files until a patch is available. Restrict access to server log files to minimize the risk of exploitation.

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2016-8627

RHSA-2017:0170

RHSA-2017:0171

RHSA-2017:0173

RHSA-2017:0244

RHSA-2017:0245

RHSA-2017:0246

RHSA-2017:0250

RHSA-2017:3454

RHSA-2017:3455

RHSA-2017:3458

Affected Products

Keycloak

Admin-Cli

PT-2018-5035 · Red Hat · Admin-Cli+1

CVE-2016-8627

Weakness Enumeration

Related Identifiers

Affected Products

References · 19