Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2016-6344 |
CWE-ID | CWE-200 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Red Hat Process Automation Manager (formerly JBoss BPM Suite) Web applications / Remote management & hosting panels |
Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU40132
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-6344
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session cookies, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies.
MitigationInstall update from vendor's website.
Vulnerable software versionsRed Hat Process Automation Manager (formerly JBoss BPM Suite): 6.3
CPE2.3 External linkshttp://rhn.redhat.com/errata/RHSA-2017-0248.html
http://rhn.redhat.com/errata/RHSA-2017-0249.html
http://www.securityfocus.com/bid/92714
http://bugzilla.redhat.com/show_bug.cgi?id=1371807
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.