{"api_version":"1","generated_at":"2026-05-13T02:11:34+00:00","cve":"CVE-2016-8648","urls":{"html":"https://cve.report/CVE-2016-8648","api":"https://cve.report/api/cve/CVE-2016-8648.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-8648","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-8648"},"summary":{"title":"CVE-2016-8648","description":"It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2018-08-01 14:29:00","updated_at":"2023-02-12 23:26:00"},"problem_types":["CWE-502"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/94513","name":"94513","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Apache Karaf CVE-2016-8648 Remote Code Execution Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648","refsource":"CONFIRM","tags":["Issue Tracking","Mitigation","Third Party Advisory"],"title":"1395077 – (CVE-2016-8648) CVE-2016-8648 Karaf JMX Console RCE during deserialization","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-8648","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-8648","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"8648","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_a-mq","cpe6":"6.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"8648","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_a-mq","cpe6":"6.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"8648","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_fuse","cpe6":"6.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"8648","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_fuse","cpe6":"6.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2016-8648","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-502","cweId":"CWE-502"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache Software Foundation","product":{"product_data":[{"product_name":"Karaf","version":{"version_data":[{"version_affected":"=","version_value":"As shipped with Jboss Fuse 6.x"}]}}]}}]}},"references":{"reference_data":[{"url":"http://www.securityfocus.com/bid/94513","refsource":"MISC","name":"http://www.securityfocus.com/bid/94513"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648"}]},"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.0"}]}},"nvd":{"publishedDate":"2018-08-01 14:29:00","lastModifiedDate":"2023-02-12 23:26:00","problem_types":["CWE-502"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"8648","Ordinal":"95303","Title":"CVE-2016-8648","CVE":"CVE-2016-8648","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"8648","Ordinal":"1","NoteData":"It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.","Type":"Description","Title":null},{"CveYear":"2016","CveId":"8648","Ordinal":"2","NoteData":"2018-08-01","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"8648","Ordinal":"3","NoteData":"2018-08-02","Type":"Other","Title":"Modified"}]}}}