Description
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker's commands as the user. There is known to be a proof-of-concept exploit using this vulnerability.
References (3)
Core 3
Core References
Mitigation, Patch, Vendor Advisory x_refsource_confirm
https://brooklyn.apache.org/community/security/CVE-2016-8737.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/96228
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/877813aaaa0e636adbc36106b89a54e0e6918f0884e9c8b67d5d5953%40%3Cdev.brooklyn.apache.org%3E
Scores
CVSS v3
8.8
EPSS
0.0019
EPSS Percentile
40.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (4)
apache/brooklyn
< 0.9.0
Apache Software Foundation/Apache Brooklyn
0.9.0 and all prior versions
org.apache.brooklyn/brooklyn-jsgui
0 - 0.10.0Maven
org.apache.brooklyn/brooklyn-rest-resources
0 - 0.10.0Maven
Published
Sep 13, 2017
Tracked Since
Feb 18, 2026