Information disclosure in Red Hat Process Automation Manager (formerly JBoss BPM Suite)



Published: 2016-09-07 | Updated: 2020-08-09
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-6344
CWE-ID CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Red Hat Process Automation Manager (formerly JBoss BPM Suite)
Web applications / Remote management & hosting panels

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU40132

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6344

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session cookies, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Red Hat Process Automation Manager (formerly JBoss BPM Suite): 6.3

CPE2.3 External links

http://rhn.redhat.com/errata/RHSA-2017-0248.html
http://rhn.redhat.com/errata/RHSA-2017-0249.html
http://www.securityfocus.com/bid/92714
http://bugzilla.redhat.com/show_bug.cgi?id=1371807


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###