CVE-2018-10899 – jolokia: system-wide CSRF that could lead to Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-10899
A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack. Se detectó un fallo en Jolokia versiones 1.2 anteriores a 1.6.1. • https://access.redhat.com/errata/RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2804 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10899 https://jolokia.org/changes-report.html#a1.6.1 https://lists.apache.org/thread.html/1392fbebb4fbbec379a40d16e1288fe1e4c0289d257e5206051a3793%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/r46f6dbc029f49e1f638c6eb82accb94b7f990d818cb3b3bc0007dd0a%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/r64701caec91c43efd7416d6bddef88447371101e00e8562 • CWE-20: Improper Input Validation CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-1000129 – jolokia: Cross site scripting in the HTTP servlet
https://notcve.org/view.php?id=CVE-2018-1000129
An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser. Existe una vulnerabilidad de Cross-Site Scripting (XSS) en la versión 1.3.7 del agente Jolokia, en el servlet HTTP, que permite que un atacante ejecute JavaScript malicioso en el navegador de la víctima. • https://access.redhat.com/errata/RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:3817 https://github.com/rhuss/jolokia/commit/5895d5c137c335e6b473e9dcb9baf748851bbc5f#diff-f19898247eddb55de6400489bff748ad https://jolokia.org/#Security_fixes_with_1.5.0 https://access.redhat.com/security/cve/CVE-2018-1000129 https://bugzilla.redhat.com/show_bug.cgi?id=1559317 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-1000130 – jolokia: JMX proxy mode vulnerable to remote code execution
https://notcve.org/view.php?id=CVE-2018-1000130
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server. Existe una vulnerabilidad de inyección JNDI en la versión 1.3.7 del agente Jolokia, en el modo proxy, que permite que un atacante remoto ejecute código Java arbitrario en el servidor. • https://access.redhat.com/errata/RHSA-2018:2669 https://jolokia.org/#Security_fixes_with_1.5.0 https://access.redhat.com/security/cve/CVE-2018-1000130 https://bugzilla.redhat.com/show_bug.cgi?id=1559316 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVE-2014-0168 – Jolokia: cross-site request forgery (CSRF)
https://notcve.org/view.php?id=CVE-2014-0168
Cross-site request forgery (CSRF) vulnerability in Jolokia before 1.2.1 allows remote attackers to hijack the authentication of users for requests that execute MBeans methods via a crafted web page. Vulnerabilidad de CSRF en Jolokia anterior a 1.2.1 permite a atacantes remotos secuestrar la autenticación de usuarios para solicitudes que ejecutan métodos MBeans a través de una página web manipulada. It was found that Jolokia was vulnerable to Cross-Site Request Forgery (CSRF) attacks. A remote attacker could provide a specially crafted web page that, when visited by a user logged in to Jolokia, could allow the attacker to execute arbitrary methods on MBeans exposed via JMX. • http://rhn.redhat.com/errata/RHSA-2014-1351.html https://github.com/rhuss/jolokia/commit/2d9b168cfbbf5a6d16fa6e8a5b34503e3dc42364 https://access.redhat.com/security/cve/CVE-2014-0168 https://bugzilla.redhat.com/show_bug.cgi?id=1084838 • CWE-352: Cross-Site Request Forgery (CSRF) •