Description

Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1072681

https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113

https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf

Related Vulnerabilities

CVE-2020-28469 Vulnerability in maven package org.webjars.bowergithub.es128:glob-parent

CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-jdk14

CVE-2020-1745 Vulnerability in maven package io.undertow:undertow-core

CVE-2020-9480 Vulnerability in maven package org.apache.spark:spark-network-common_2.10

CVE-2017-16017 Vulnerability in npm package npm

Severity

Critical

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Issue Tracking Patch Third Party Advisory