CVE-2017-2594 – hawtio: information Disclosure flaws due to unsafe path traversal

https://notcve.org/view.php?id=CVE-2017-2594

hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, and 1.5 is vulnerable to a path traversal that leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. hawtio en versiones anteriores a la 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3 y 1.5 es vulnerable a un salto de directorio que conduce a una excepción de puntero NULL con una stacktrace completa. Un atacante podría utilizar este fallo para reunir información no publicada de la raíz de hawtio. It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. • http://www.securityfocus.com/bid/95793 https://access.redhat.com/errata/RHSA-2017:1832 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2594 https://access.redhat.com/security/cve/CVE-2017-2594 https://bugzilla.redhat.com/show_bug.cgi?id=1415543 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-209: Generation of Error Message Containing Sensitive Information •