{"api_version":"1","generated_at":"2026-04-23T00:39:45+00:00","cve":"CVE-2016-0906","urls":{"html":"https://cve.report/CVE-2016-0906","api":"https://cve.report/api/cve/CVE-2016-0906.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-0906","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-0906"},"summary":{"title":"CVE-2016-0906","description":"The web-restore interface in Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar through 7.1.2 and 7.2.x through 7.2.1 allows remote authenticated users to read or delete directories via a Linux backup-restore operation.","state":"PUBLIC","assigner":"security_alert@emc.com","published_at":"2016-07-06 14:59:00","updated_at":"2017-09-01 01:29:00"},"problem_types":["CWE-284"],"metrics":[],"references":[{"url":"http://seclists.org/bugtraq/2016/Jul/33","name":"20160706 ESA-2016-054: EMC Avamar Data Store and Avamar Virtual Edition Unauthorized Data Access Vulnerability","refsource":"BUGTRAQ","tags":[],"title":"Bugtraq: ESA-2016-054: EMC Avamar Data Store and Avamar Virtual Edition Unauthorized Data Access Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1036235","name":"1036235","refsource":"SECTRACK","tags":[],"title":"EMC Avamar Backup Restoration Flaw Lets Remote Authenticated Users Read and Delete Files on the Target System - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-0906","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-0906","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"906","vulnerable":"1","versionEndIncluding":"7.2.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"emc","cpe5":"avamar","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security_alert@emc.com","ID":"CVE-2016-0906","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The web-restore interface in Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar through 7.1.2 and 7.2.x through 7.2.1 allows remote authenticated users to read or delete directories via a Linux backup-restore operation."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"1036235","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1036235"},{"name":"20160706 ESA-2016-054: EMC Avamar Data Store and Avamar Virtual Edition Unauthorized Data Access Vulnerability","refsource":"BUGTRAQ","url":"http://seclists.org/bugtraq/2016/Jul/33"}]}},"nvd":{"publishedDate":"2016-07-06 14:59:00","lastModifiedDate":"2017-09-01 01:29:00","problem_types":["CWE-284"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:emc:avamar:*:*:*:*:*:*:*:*","versionEndIncluding":"7.2.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"906","Ordinal":"86525","Title":"CVE-2016-0906","CVE":"CVE-2016-0906","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"906","Ordinal":"1","NoteData":"The web-restore interface in Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar through 7.1.2 and 7.2.x through 7.2.1 allows remote authenticated users to read or delete directories via a Linux backup-restore operation.","Type":"Description","Title":null},{"CveYear":"2016","CveId":"906","Ordinal":"2","NoteData":"2016-07-06","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"906","Ordinal":"3","NoteData":"2017-08-31","Type":"Other","Title":"Modified"}]}}}