CVE-2016-7043

low-risk

Published 2019-05-15

It has been reported that KIE server and Busitess Central before version 7.21.0.Final contain username and password as plaintext Java properties. Any app deployed on the same server would have access to these properties, thus granting access to ther services.

Do I need to act?

0.23% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Kie-Server

Affected Vendors

Redhat

References (4)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7043

Patch https://github.com/kiegroup/droolsjbpm-integration/pull/1273

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7043

Patch https://github.com/kiegroup/droolsjbpm-integration/pull/1273

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal