CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 2CVE-2019-9827 – hawtio: server side request forgery via initial /proxy/ substring of a URI
https://notcve.org/view.php?id=CVE-2019-9827
03 Jul 2019 — Hawt Hawtio through 2.5.0 is vulnerable to SSRF, allowing a remote attacker to trigger an HTTP request from an affected server to an arbitrary host via the initial /proxy/ substring of a URI. Hawt Hawtio hasta la versión 2.5.0 es vulnerable a SSRF, permite a un atacante remoto que desencadene una petición HTTP desde un servidor afectado a un host arbitrario mediante initial/proxy/ substring de un URI. AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronou... • https://packetstorm.news/files/id/153524 • CWE-602: Client-Side Enforcement of Server-Side Security CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2617 – Hawtio: Unrestricted file upload leads to RCE
https://notcve.org/view.php?id=CVE-2017-2617
14 Feb 2018 — hawtio before version 1.5.5 is vulnerable to remote code execution via file upload. An attacker could use this vulnerability to upload a crafted file which could be executed on a target machine where hawtio is deployed. hawtio en versiones anteriores a la 1.5.5 es vulnerable a la ejecución remota de código mediante la subida de archivos. Un atacante podría usar esta vulnerabilidad para subir un archivo manipulado que podría ejecutarse en una máquina objetivo en la que se está desplegando hawtio. It was foun... • http://www.securityfocus.com/bid/96036 • CWE-20: Improper Input Validation CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2589 – hawtio: Proxy is sharing cookies among all the clients
https://notcve.org/view.php?id=CVE-2017-2589
10 Aug 2017 — It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. Se ha descubierto que el servlet 1.4 de hawtio utiliza una única instancia HttpClient para las peticiones del proxy con un almacén de cookies persistente (las cookies se almacenan localmente y no se pasan entre el cliente y la UR... • https://access.redhat.com/errata/RHSA-2017:1832 • CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 0CVE-2017-2594 – hawtio: information Disclosure flaws due to unsafe path traversal
https://notcve.org/view.php?id=CVE-2017-2594
10 Aug 2017 — hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, and 1.5 is vulnerable to a path traversal that leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. hawtio en versiones anteriores a la 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3 y 1.5 es vulnerable a un salto de directorio que conduce a una excepción de puntero NULL con una stacktrace completa. Un atacante podría utilizar este fallo para re... • http://www.securityfocus.com/bid/95793 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-209: Generation of Error Message Containing Sensitive Information •