Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-9498

ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to execute remote code compromising the application as well as the operating system. As Application Manager's RMI registry is running with privileges of system administrator, by exploiting this vulnerability an attacker gains highest privileges on the underlying operating system.

Published

2018-07-13T20:29:01.940

Last Modified

2024-11-21T03:01:20.043

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

10.0

Impact Score

10.0

Weaknesses

Type: Secondary
CWE-502
Type: Primary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	zohocorp	manageengine_applications_manager	12.0	Yes
Application	zohocorp	manageengine_applications_manager	13.0	Yes

References

http://seclists.org/fulldisclosure/2017/Apr/9 Mailing List, Third Party Advisory ([email protected])
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9498.html Vendor Advisory ([email protected])
https://www.securityfocus.com/bid/97394/ Third Party Advisory, VDB Entry ([email protected])
http://seclists.org/fulldisclosure/2017/Apr/9 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9498.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.securityfocus.com/bid/97394/ Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)