CVE-2014-0120

Опубликовано: 29 дек. 2017

Источник: nvd

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."

Ссылки

https://bugzilla.redhat.com/show_bug.cgi?id=1072681
Issue Tracking
Patch
Third Party Advisory
https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113
Issue Tracking
Patch
Third Party Advisory
https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
Issue Tracking
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1072681
Issue Tracking
Patch
Third Party Advisory
https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113
Issue Tracking
Patch
Third Party Advisory
https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
Issue Tracking
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:hawt:hawtio:*:*:*:*:*:*:*:*

Версия до 1.2.2 (включая)

Конфигурация 2

cpe:2.3:a:redhat:jboss_fuse:6.1.0:beta:*:*:*:*:*:*

EPSS

Процентиль: 30%

0.00109

Низкий

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-352

Связанные уязвимости