Cross-site Request Forgery (CSRF) Affecting org.apache.brooklyn:brooklyn-rest-api package, versions [,0.10.0)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.14% (35th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGAPACHEBROOKLYN-9962107
  • published5 May 2025
  • disclosed13 Sept 2017
  • creditToshitsugu Yoneyama

Introduced: 13 Sep 2017

CVE-2016-8737  (opens in a new tab)
CWE-352  (opens in a new tab)

How to fix?

Upgrade org.apache.brooklyn:brooklyn-rest-api to version 0.10.0 or higher.

Overview

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the REST server. An attacker can execute commands as the user by producing a malicious link that, if clicked while the user is logged in, exploits the server.

PoC

Attacker puts something like this into their malicious site:

<form action="http://<Brooklyn>/v1/applications/oadP4rZU/entities/oadP4rZU/name?name=hacked" method="POST">

If the user clicks on this when logged in, the name of that entity will be changed by the attacker.

CVSS Base Scores

version 4.0
version 3.1