CVE-2018-10899 – jolokia: system-wide CSRF that could lead to Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-10899
A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack. Se detectó un fallo en Jolokia versiones 1.2 anteriores a 1.6.1. • https://access.redhat.com/errata/RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2804 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10899 https://jolokia.org/changes-report.html#a1.6.1 https://lists.apache.org/thread.html/1392fbebb4fbbec379a40d16e1288fe1e4c0289d257e5206051a3793%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/r46f6dbc029f49e1f638c6eb82accb94b7f990d818cb3b3bc0007dd0a%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/r64701caec91c43efd7416d6bddef88447371101e00e8562 • CWE-20: Improper Input Validation CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-1000129 – jolokia: Cross site scripting in the HTTP servlet
https://notcve.org/view.php?id=CVE-2018-1000129
An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser. Existe una vulnerabilidad de Cross-Site Scripting (XSS) en la versión 1.3.7 del agente Jolokia, en el servlet HTTP, que permite que un atacante ejecute JavaScript malicioso en el navegador de la víctima. • https://access.redhat.com/errata/RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:3817 https://github.com/rhuss/jolokia/commit/5895d5c137c335e6b473e9dcb9baf748851bbc5f#diff-f19898247eddb55de6400489bff748ad https://jolokia.org/#Security_fixes_with_1.5.0 https://access.redhat.com/security/cve/CVE-2018-1000129 https://bugzilla.redhat.com/show_bug.cgi?id=1559317 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •