CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7556
https://notcve.org/view.php?id=CVE-2017-7556
Hawtio versions up to and including 1.5.3 are vulnerable to CSRF vulnerability allowing remote attackers to trick the user to visit their website containing a malicious script which can be submitted to hawtio server on behalf of the user. Hawtio en sus versiones hasta la 1.5.3 (esta incluida) es vulnerable a una vulnerabilidad CSRF que permite que atacantes remotos engañen al usuario para que visite su sitio web, que contiene un script malicioso que puede ser enviado al servidor de Hawtio en nombre del usuario. • http://www.securityfocus.com/bid/100411 https://bugzilla.redhat.com/show_bug.cgi?id=1480060 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2589 – hawtio: Proxy is sharing cookies among all the clients
https://notcve.org/view.php?id=CVE-2017-2589
It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. Se ha descubierto que el servlet 1.4 de hawtio utiliza una única instancia HttpClient para las peticiones del proxy con un almacén de cookies persistente (las cookies se almacenan localmente y no se pasan entre el cliente y la URL final), lo que significa que todos los clientes que utilicen ese proxy están compartiendo las mismas cookies. It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. • https://access.redhat.com/errata/RHSA-2017:1832 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2589 https://access.redhat.com/security/cve/CVE-2017-2589 https://bugzilla.redhat.com/show_bug.cgi?id=1413905 • CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2594 – hawtio: information Disclosure flaws due to unsafe path traversal
https://notcve.org/view.php?id=CVE-2017-2594
hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, and 1.5 is vulnerable to a path traversal that leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. hawtio en versiones anteriores a la 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3 y 1.5 es vulnerable a un salto de directorio que conduce a una excepción de puntero NULL con una stacktrace completa. Un atacante podría utilizar este fallo para reunir información no publicada de la raíz de hawtio. It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. • http://www.securityfocus.com/bid/95793 https://access.redhat.com/errata/RHSA-2017:1832 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2594 https://access.redhat.com/security/cve/CVE-2017-2594 https://bugzilla.redhat.com/show_bug.cgi?id=1415543 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-209: Generation of Error Message Containing Sensitive Information •