Description

Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1072681

https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113

https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf

Related Vulnerabilities

CVE-2020-8127 Vulnerability in maven package org.webjars.npm:reveal.js

CVE-2021-21315 Vulnerability in npm package systeminformation

CVE-2023-26055 Vulnerability in maven package org.xwiki.commons:xwiki-commons-xml

CVE-2022-44262 Vulnerability in maven package org.ff4j:ff4j-core

CVE-2023-34467 Vulnerability in maven package org.xwiki.platform:xwiki-platform-livetable-ui

Severity

Critical

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Issue Tracking Patch Third Party Advisory