hawtio-karaf-terminal is vulnerable to cross-site request forgery (CSRF) attacks. Attackers can use the authentication of a user to run commands on the Karaf server such as shutdown -f
.
CPE | Name | Operator | Version |
---|---|---|---|
hawtio-karaf-terminal | le | 1.2.2 |
bugzilla.redhat.com/show_bug.cgi?id=1072681
github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113
infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf