Description

Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1072681

https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113

https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf

Related Vulnerabilities

CVE-2023-44487 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2022-25875 Vulnerability in npm package svelte

CVE-2023-39013 Vulnerability in maven package no.priv.garshol.duke:duke

CVE-2023-44981 Vulnerability in maven package org.apache.zookeeper:zookeeper

CVE-2023-49620 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-common

Severity

Critical

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Issue Tracking Patch Third Party Advisory