CVE-2016-7034
Summary
| CVE | CVE-2016-7034 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-09-07 18:59:00 UTC |
| Updated | 2018-02-15 02:29:00 UTC |
| Description | The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token. |
Risk And Classification
Problem Types: CWE-352
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Redhat | Jboss Bpm Suite | 6.3.2 | All | All | All |
| Application | Redhat | Jboss Bpm Suite | 6.3.2 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Bug 1373347 – CVE-2016-7034 JBoss bpms: insecure handling CSRF token in dashbuilder | CONFIRM | bugzilla.redhat.com | Issue Tracking |
| Red Hat JBoss BPMS CVE-2016-7034 Cross Site Request Forgery Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.