Vulnerability Name:

CVE-2016-7061 (CCN-120947)

Assigned:2016-08-23
Published:2017-01-18
Updated:2019-10-09
Summary:An information disclosure vulnerability was found in JBoss Enterprise Application Platform before 7.0.4. It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2016-7061

Source: CCN
Type: RHSA-2017-0170
Moderate: JBoss Enterprise Application Platform 7.0.4 on RHEL 6

Source: REDHAT
Type: Vendor Advisory
RHSA-2017:0170

Source: CCN
Type: RHSA-2017-0171
Moderate: JBoss Enterprise Application Platform 7.0.4 for RHEL 7

Source: REDHAT
Type: Vendor Advisory
RHSA-2017:0171

Source: CCN
Type: RHSA-2017-0172
Moderate: Red Hat JBoss Enterprise Application Platform 7.0.4

Source: REDHAT
Type: Vendor Advisory
RHSA-2017:0172

Source: CCN
Type: RHSA-2017-0173
Moderate: eap7-jboss-ec2-eap security update

Source: REDHAT
Type: Vendor Advisory
RHSA-2017:0173

Source: CCN
Type: RHSA-2017-0244
Important: Red Hat JBoss Enterprise Application Platform security update

Source: REDHAT
Type: Vendor Advisory
RHSA-2017:0244

Source: CCN
Type: RHSA-2017-0245
Important: Red Hat JBoss Enterprise Application Platform security update

Source: REDHAT
Type: Vendor Advisory
RHSA-2017:0245

Source: CCN
Type: RHSA-2017-0246
Important: Red Hat JBoss Enterprise Application Platform security update

Source: REDHAT
Type: Vendor Advisory
RHSA-2017:0246

Source: CCN
Type: RHSA-2017-0247
Important: Red Hat JBoss Enterprise Application Platform security update

Source: REDHAT
Type: Vendor Advisory
RHSA-2017:0247

Source: CCN
Type: RHSA-2017-0250
Important: jboss-ec2-eap security, bug fix, and enhancement update

Source: REDHAT
Type: Vendor Advisory
RHSA-2017:0250

Source: BID
Type: Third Party Advisory, VDB Entry
94222

Source: CCN
Type: BID-94222
Redhat JBoss Enterprise Application Platform CVE-2016-7061 Information Disclosure Vulnerability

Source: REDHAT
Type: Vendor Advisory
RHSA-2017:3454

Source: REDHAT
Type: Vendor Advisory
RHSA-2017:3455

Source: REDHAT
Type: Vendor Advisory
RHSA-2017:3456

Source: REDHAT
Type: Vendor Advisory
RHSA-2017:3458

Source: CCN
Type: Red Hat Bugzilla – Bug 1380852
(CVE-2016-7061) CVE-2016-7061 EAP: Sensitive data can be exposed at the server level in domain mode

Source: CONFIRM
Type: Issue Tracking, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7061

Source: XF
Type: UNKNOWN
redhat-eap-cve20167061-info-disc(120947)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:* (Version < 7.0.4)
  • AND
  • cpe:/o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:redhat:jboss_enterprise_application_platform:7.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:6.4.12:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    redhat jboss enterprise application platform *
    redhat enterprise linux 6.0
    redhat enterprise linux 7.0
    redhat jboss enterprise application platform 7.0.3
    redhat jboss enterprise application platform 6.4.12