Description

Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."

Remediation

References

https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf

https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113

https://bugzilla.redhat.com/show_bug.cgi?id=1072681

Related Vulnerabilities

CVE-2021-40822 Vulnerability in maven package org.geoserver:gs-main

CVE-2020-5397 Vulnerability in maven package org.springframework:spring-webmvc

CVE-2022-36944 Vulnerability in maven package org.scala-lang:scala-library

CVE-2020-7607 Vulnerability in npm package gulp-styledocco

CVE-2018-16487 Vulnerability in npm package lodash._basemerge

Severity

Critical

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Issue Tracking Third Party Advisory Patch