Description

Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."

Remediation

References

https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf

https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113

https://bugzilla.redhat.com/show_bug.cgi?id=1072681

Related Vulnerabilities

CVE-2019-0192 Vulnerability in maven package org.apache.solr:solr-core

CVE-2022-36537 Vulnerability in maven package org.zkoss.zk:zk

CVE-2022-48285 Vulnerability in maven package org.webjars.bowergithub.stuk:jszip

CVE-2021-32729 Vulnerability in maven package org.xwiki.platform:xwiki-platform-security-authentication-script

CVE-2022-25646 Vulnerability in npm package x-data-spreadsheet

Severity

Critical

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Issue Tracking Third Party Advisory Patch