PT-2018-7119 · Hawtio · Hawtio Servlet

Adam Mariš

Published

2018-07-26

Updated

2022-05-13

CVE-2017-2589

CVSS v3.1

9.0

Critical

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: hawtio servlet version 1.4

Description: A issue was found where the hawtio servlet uses a single HttpClient instance to proxy requests, resulting in all clients sharing the same cookies due to a persistent cookie store. This means cookies are stored locally and not passed between the client and the end URL.

Recommendations: For hawtio servlet version 1.4, consider disabling the proxy functionality until a patch is available to prevent cookie sharing among clients. Restrict access to the hawtio servlet to minimize the risk of exploitation.

Fix

Information Disclosure

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-285

Related Identifiers

CVE-2017-2589

GHSA-M4J5-HGQQ-5JF2

Affected Products

Hawtio Servlet

PT-2018-7119 · Hawtio · Hawtio Servlet

CVE-2017-2589

Weakness Enumeration

Related Identifiers

Affected Products

References · 7