CVE-2016-5062 - The web server in Aternity before 9.0.1 does not require authentication for getMBeansFromURL loading

CVE-2016-5062

Summary

The web server in Aternity before 9.0.1 does not require authentication for getMBeansFromURL loading of Java MBeans, which allows remote attackers to execute arbitrary Java code by registering MBeans.

References

http://www.kb.cert.org/vuls/id/706359
http://www.securityfocus.com/bid/93208

Vulnerable Configurations

cpe:2.3:a:aternity:aternity:9.0:*:*:*:*:*:*:*
cpe:2.3:a:aternity:aternity:9.0:*:*:*:*:*:*:*

CVSS

Base:	9.3 (as of 10-04-2017 - 01:59)
Impact:
Exploitability:

CWE

CWE-669

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:M/Au:N/C:C/I:C/A:C

refmap via4

bid	93208
cert-vn	VU#706359

Last major update

10-04-2017 - 01:59

Published

29-09-2016 - 10:59

Last modified

10-04-2017 - 01:59