CVE-2018-10899 – jolokia: system-wide CSRF that could lead to Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-10899
A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack. Se detectó un fallo en Jolokia versiones 1.2 anteriores a 1.6.1. • https://access.redhat.com/errata/RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2804 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10899 https://jolokia.org/changes-report.html#a1.6.1 https://lists.apache.org/thread.html/1392fbebb4fbbec379a40d16e1288fe1e4c0289d257e5206051a3793%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/r46f6dbc029f49e1f638c6eb82accb94b7f990d818cb3b3bc0007dd0a%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/r64701caec91c43efd7416d6bddef88447371101e00e8562 • CWE-20: Improper Input Validation CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-0168 – Jolokia: cross-site request forgery (CSRF)
https://notcve.org/view.php?id=CVE-2014-0168
Cross-site request forgery (CSRF) vulnerability in Jolokia before 1.2.1 allows remote attackers to hijack the authentication of users for requests that execute MBeans methods via a crafted web page. Vulnerabilidad de CSRF en Jolokia anterior a 1.2.1 permite a atacantes remotos secuestrar la autenticación de usuarios para solicitudes que ejecutan métodos MBeans a través de una página web manipulada. It was found that Jolokia was vulnerable to Cross-Site Request Forgery (CSRF) attacks. A remote attacker could provide a specially crafted web page that, when visited by a user logged in to Jolokia, could allow the attacker to execute arbitrary methods on MBeans exposed via JMX. • http://rhn.redhat.com/errata/RHSA-2014-1351.html https://github.com/rhuss/jolokia/commit/2d9b168cfbbf5a6d16fa6e8a5b34503e3dc42364 https://access.redhat.com/security/cve/CVE-2014-0168 https://bugzilla.redhat.com/show_bug.cgi?id=1084838 • CWE-352: Cross-Site Request Forgery (CSRF) •