Description

Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1072681

https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113

https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf

Related Vulnerabilities

CVE-2022-29567 Vulnerability in maven package com.vaadin:vaadin-grid-flow

CVE-2022-36097 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui

CVE-2022-25878 Vulnerability in maven package org.webjars.npm:protobufjs

CVE-2021-41411 Vulnerability in maven package org.drools:drools-core

CVE-2023-45282 Vulnerability in npm package openmct

Severity

Critical

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Issue Tracking Patch Third Party Advisory