CVE-2014-0121
published 2017-12-29CVE-2014-0121: The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter.
PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.86%
88.9th percentile
The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hawt | hawtio | <= 1.2.2 | — |
| redhat | jboss_fuse | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The hawtio-karaf-terminal admin terminal endpoint requires no authentication; monitor for unauthenticated HTTP requests targeting the terminal endpoint with a 'k' parameter containing shell commands. ↗
- →Alert on arbitrary command execution in the context of the Karaf server process originating from the hawtio terminal component. ↗
- ·Vulnerability only affects Red Hat JBoss Fuse 6.1.0 Beta; the GA release of 6.1.0 is patched and earlier versions are not affected as they did not include the hawtio-karaf-terminal component. ↗
- ·Upstream patches are available at the referenced GitHub commits for hawtio. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
https://bugzilla.redhat.com/show_bug.cgi?id=1072716https://github.com/hawtio/hawtio/commit/5289715e4f2657562fdddcbad830a30969b96e1ehttps://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdfhttps://bugzilla.redhat.com/show_bug.cgi?id=1072716https://github.com/hawtio/hawtio/commit/5289715e4f2657562fdddcbad830a30969b96e1ehttps://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
2017-12-29
Published