CVE-2016-3690

Published: Jun 8, 2017Modified: May 13, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.

Affected (7)

Products: Redhat: Jboss Enterprise Application Platform

1 product

Jboss Enterprise Application Platform

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Redhat Jboss Enterprise Application Platform	Version 4.2.0
Redhat Jboss Enterprise Application Platform	Version 4.3.0
Redhat Jboss Enterprise Application Platform	Version 5.0.0
Redhat Jboss Enterprise Application Platform	Version 5.1.0
Redhat Jboss Enterprise Application Platform	Version 5.1.1
Redhat Jboss Enterprise Application Platform	Version 5.1.2
Redhat Jboss Enterprise Application Platform	Version 5.2.0

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (8)

http://www.securityfocus.com/bid/99079

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://access.redhat.com/solutions/178393

Source: secalert@redhat.com

MitigationVendor Advisory

https://access.redhat.com/solutions/45530

Source: secalert@redhat.com

MitigationVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1327037

Source: secalert@redhat.com

Issue TrackingVendor Advisory

http://www.securityfocus.com/bid/99079

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://access.redhat.com/solutions/178393

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

https://access.redhat.com/solutions/45530

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1327037

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.