cnvd - cnvd-2016-01094

cnvd-2016-01094

Vulnerability from cnvd

Title: Adobe Experience Manager Apache Sling Servlets Post组件信息泄露漏洞

Description:

Apache Sling是Java平台上的开源Web框架，在JCR内容库上创建面向内容的应用。Adobe Experience Manager（AEM）是美国奥多比（Adobe）公司的一套可用于构建网站、移动应用程序和表单的内容管理解决方案。Servlets Post是其中的一个容器。

Adobe Experience Manager中使用的Apache Sling的Servlets Post组件中存在信息泄露漏洞，允许远程攻击者通过未指定向量获取敏感信息。

Severity: 中

Patch Name: Adobe Experience Manager Apache Sling Servlets Post组件信息泄露漏洞的补丁

Patch Description:

Adobe Experience Manager中使用的Apache Sling的Servlets Post组件中存在信息泄露漏洞，允许远程攻击者通过未指定向量获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞： https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html

Reference: https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html

Impacted products

Name
['Adobe Experience Manager 5.6.1', 'Adobe Experience Manager 6.0.0', 'Adobe Experience Manager 6.1.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-0956"
    }
  },
  "description": "Apache Sling\u662fJava\u5e73\u53f0\u4e0a\u7684\u5f00\u6e90Web\u6846\u67b6\uff0c\u5728JCR\u5185\u5bb9\u5e93\u4e0a\u521b\u5efa\u9762\u5411\u5185\u5bb9\u7684\u5e94\u7528\u3002Adobe Experience Manager\uff08AEM\uff09\u662f\u7f8e\u56fd\u5965\u591a\u6bd4\uff08Adobe\uff09\u516c\u53f8\u7684\u4e00\u5957\u53ef\u7528\u4e8e\u6784\u5efa\u7f51\u7ad9\u3001\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u548c\u8868\u5355\u7684\u5185\u5bb9\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002Servlets Post\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5bb9\u5668\u3002\r\n\r\nAdobe Experience Manager\u4e2d\u4f7f\u7528\u7684Apache Sling\u7684Servlets Post\u7ec4\u4ef6\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u672a\u6307\u5b9a\u5411\u91cf\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "Ateeq ur Rehman Khan - Vulnerability Labs (@CyberCrimeNEWS)",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttps://helpx.adobe.com/security/products/experience-manager/apsb16-05.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-01094",
  "openTime": "2016-02-17",
  "patchDescription": "Apache Sling\u662fJava\u5e73\u53f0\u4e0a\u7684\u5f00\u6e90Web\u6846\u67b6\uff0c\u5728JCR\u5185\u5bb9\u5e93\u4e0a\u521b\u5efa\u9762\u5411\u5185\u5bb9\u7684\u5e94\u7528\u3002Adobe Experience Manager\uff08AEM\uff09\u662f\u7f8e\u56fd\u5965\u591a\u6bd4\uff08Adobe\uff09\u516c\u53f8\u7684\u4e00\u5957\u53ef\u7528\u4e8e\u6784\u5efa\u7f51\u7ad9\u3001\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u548c\u8868\u5355\u7684\u5185\u5bb9\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002Servlets Post\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5bb9\u5668\u3002\r\n\r\nAdobe Experience Manager\u4e2d\u4f7f\u7528\u7684Apache Sling\u7684Servlets Post\u7ec4\u4ef6\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u672a\u6307\u5b9a\u5411\u91cf\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Adobe Experience Manager Apache Sling Servlets Post\u7ec4\u4ef6\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Adobe Experience Manager 5.6.1",
      "Adobe Experience Manager 6.0.0",
      "Adobe Experience Manager 6.1.0"
    ]
  },
  "referenceLink": "https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html",
  "serverity": "\u4e2d",
  "submitTime": "2016-02-11",
  "title": "Adobe Experience Manager Apache Sling Servlets Post\u7ec4\u4ef6\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2016-0956 (GCVE-0-2016-0956)

Vulnerability from cvelistv5

Published

2016-02-10 20:00

Modified

2024-08-05 22:38

Severity ?

CWE

Summary

The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote attackers to obtain sensitive information via unspecified vectors.

References

▼	URL	Tags
	http://seclists.org/fulldisclosure/2016/Feb/48	mailing-list, x_refsource_FULLDISC
	https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html	x_refsource_CONFIRM
	http://www.securityfocus.com/archive/1/537498/100/0/threaded	mailing-list, x_refsource_BUGTRAQ
	https://www.exploit-db.com/exploits/39435/	exploit, x_refsource_EXPLOIT-DB
	http://packetstormsecurity.com/files/135720/Apache-Sling-Framework-2.3.6-Information-Disclosure.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:38:41.503Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20160210 Apache Sling Framework v2.3.6 (Adobe AEM) [CVE-2016-0956] - Information Disclosure Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2016/Feb/48"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html"
          },
          {
            "name": "20160210 Apache Sling Framework v2.3.6 - Information Disclosure Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/537498/100/0/threaded"
          },
          {
            "name": "39435",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/39435/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/135720/Apache-Sling-Framework-2.3.6-Information-Disclosure.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-02-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote attackers to obtain sensitive information via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "name": "20160210 Apache Sling Framework v2.3.6 (Adobe AEM) [CVE-2016-0956] - Information Disclosure Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2016/Feb/48"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html"
        },
        {
          "name": "20160210 Apache Sling Framework v2.3.6 - Information Disclosure Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/537498/100/0/threaded"
        },
        {
          "name": "39435",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/39435/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/135720/Apache-Sling-Framework-2.3.6-Information-Disclosure.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@adobe.com",
          "ID": "CVE-2016-0956",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote attackers to obtain sensitive information via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20160210 Apache Sling Framework v2.3.6 (Adobe AEM) [CVE-2016-0956] - Information Disclosure Vulnerability",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2016/Feb/48"
            },
            {
              "name": "https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html",
              "refsource": "CONFIRM",
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html"
            },
            {
              "name": "20160210 Apache Sling Framework v2.3.6 - Information Disclosure Vulnerability",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/537498/100/0/threaded"
            },
            {
              "name": "39435",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/39435/"
            },
            {
              "name": "http://packetstormsecurity.com/files/135720/Apache-Sling-Framework-2.3.6-Information-Disclosure.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/135720/Apache-Sling-Framework-2.3.6-Information-Disclosure.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2016-0956",
    "datePublished": "2016-02-10T20:00:00",
    "dateReserved": "2015-12-22T00:00:00",
    "dateUpdated": "2024-08-05T22:38:41.503Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted