Description
Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."
Remediation
References
https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113
https://bugzilla.redhat.com/show_bug.cgi?id=1072681
Related Vulnerabilities
CVE-2022-23223 Vulnerability in maven package org.apache.shenyu:shenyu-common
CVE-2020-2222 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2018-25031 Vulnerability in maven package org.webjars.bower:swagger-ui
CVE-2021-36372 Vulnerability in maven package org.apache.ozone:ozone-common