CVE-2014-0120
high
CVSS v3
8.8
CVSS v2
6.8
VIR risk
8.8
Description
Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."
Predictions
Exploit likelihood
92%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113
Vendor advisory: secalert@redhat.com — https://bugzilla.redhat.com/show_bug.cgi?id=1072681
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| hawt | hawtio | {"endIncluding":"1.2.2"} | |
| redhat | jboss_fuse | 6.1.0 | |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1072681
- https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113
- https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
- https://bugzilla.redhat.com/show_bug.cgi?id=1072681
- https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113
- https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
CWEs
CWE-352
Verify integrity in audit chain (admin only). AS-IS.