Description

Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1072681

https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113

https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf

Related Vulnerabilities

CVE-2019-14893 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2022-25912 Vulnerability in npm package simple-git

CVE-2023-34466 Vulnerability in maven package org.xwiki.platform:xwiki-platform-tag-api

CVE-2021-36372 Vulnerability in maven package org.apache.ozone:ozone-common

CVE-2019-9212 Vulnerability in maven package com.alipay.sofa:hessian

Severity

Critical

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Issue Tracking Patch Third Party Advisory