CVE-2023-33544
https://notcve.org/view.php?id=CVE-2023-33544
hawtio 2.17.2 is vulnerable to Path Traversal. it is possible to input malicious zip files, which can result in the high-risk files after decompression being stored in any location, even leading to file overwrite. • https://github.com/hawtio/hawtio/issues/2832 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2019-9827 – hawtio: server side request forgery via initial /proxy/ substring of a URI
https://notcve.org/view.php?id=CVE-2019-9827
Hawt Hawtio through 2.5.0 is vulnerable to SSRF, allowing a remote attacker to trigger an HTTP request from an affected server to an arbitrary host via the initial /proxy/ substring of a URI. Hawt Hawtio hasta la versión 2.5.0 es vulnerable a SSRF, permite a un atacante remoto que desencadene una petición HTTP desde un servidor afectado a un host arbitrario mediante initial/proxy/ substring de un URI. Hawtio versions 2.5.0 and below suffer from a server side request forgery vulnerability. • https://www.ciphertechs.com/hawtio-advisory https://access.redhat.com/security/cve/CVE-2019-9827 https://bugzilla.redhat.com/show_bug.cgi?id=1728604 • CWE-602: Client-Side Enforcement of Server-Side Security CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2017-2617 – Hawtio: Unrestricted file upload leads to RCE
https://notcve.org/view.php?id=CVE-2017-2617
hawtio before version 1.5.5 is vulnerable to remote code execution via file upload. An attacker could use this vulnerability to upload a crafted file which could be executed on a target machine where hawtio is deployed. hawtio en versiones anteriores a la 1.5.5 es vulnerable a la ejecución remota de código mediante la subida de archivos. Un atacante podría usar esta vulnerabilidad para subir un archivo manipulado que podría ejecutarse en una máquina objetivo en la que se está desplegando hawtio. It was found that a flaw in hawtio could cause remote code execution via file upload. An attacker could use this vulnerability to upload crafted file which could be executed on a target machine where hawtio is deployed. • http://www.securityfocus.com/bid/96036 https://access.redhat.com/errata/RHSA-2018:0319 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2617 https://access.redhat.com/security/cve/CVE-2017-2617 https://bugzilla.redhat.com/show_bug.cgi?id=1419363 • CWE-20: Improper Input Validation CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2014-0121
https://notcve.org/view.php?id=CVE-2014-0121
The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter. El terminal de administrador en Hawt.io no requiere autenticación, lo que permite que atacantes remotos ejecuten comandos arbitrarios mediante el parámetro k. • https://bugzilla.redhat.com/show_bug.cgi?id=1072716 https://github.com/hawtio/hawtio/commit/5289715e4f2657562fdddcbad830a30969b96e1e https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf • CWE-287: Improper Authentication •
CVE-2014-0120
https://notcve.org/view.php?id=CVE-2014-0120
Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f." Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el terminal de administrador en Hawt.io permite que atacantes remotos secuestren la autenticación de usuarios arbitrarios para peticiones que ejecutan comandos en el servidor Karaf, tal y como se demuestra ejecutando "shutdown -f". • https://bugzilla.redhat.com/show_bug.cgi?id=1072681 https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113 https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf • CWE-352: Cross-Site Request Forgery (CSRF) •