Описание
A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.
A flaw was found in Jolokia, versions 1.2 through 1.6.0, where Jolokia did not correctly handle checking for origin and referrer headers when strict checking was enabled. An attacker could use this vulnerability to conduct cross-site request forgery or further attacks.
Отчет
In Red Hat OpenStack Platform, jolokia is not enabled by default and, when enabled, the jolokia endpoints do not rely on CORS for security. Therefore, the impact has been reduced to Low and no updates will be provided at this time for the RHOSP jolokia package.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| JBoss Developer Studio 11 | jolokia-core | Out of support scope | ||
| Red Hat AMQ Broker 7 | jolokia-core | Affected | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) | opendaylight | Will not fix | ||
| Red Hat JBoss Data Virtualization 6 | jolokia-core | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 12 (Pike) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 13 (Queens) | opendaylight | Fix deferred | ||
| Red Hat OpenStack Platform 8 (Liberty) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 9 (Mitaka) | opendaylight | Will not fix | ||
| Red Hat Fuse 6.3 | jolokia-core | Fixed | RHSA-2019:2804 | 17.09.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.
EPSS
8.1 High
CVSS3