CVE-2016-8737 Information

Description

In Apache Brooklyn before 0.10.0 the REST server is vulnerable to cross-site request forgery (CSRF) which could permit a malicious web site to produce a link which if clicked whilst a user is logged in to Brooklyn would cause the server to execute the attacker’s commands as the user. There is known to be a proof-of-concept exploit using this vulnerability.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

http://www.securityfocus.com/bid/96228 https://brooklyn.apache.org/community/security/CVE-2016-8737.html https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953@3Cdev.brooklyn.apache.org3E

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8