CVE-2017-2589 — Improper Authorization in RED HAT Hawtio

CWE-285 — Improper Authorization CWE-200 — Sensitive Information Exposure6 documents6 sources

Severity

9.0CRITICALNVD

CNA8.7

EPSS

0.2%

top 62.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Hawtio Hawt Hawtio Redhat Jboss Fuse

Timeline

PublishedJul 26

Latest updateMay 13

Description

It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages3 packages

▶NVDhawt/hawtio1.4.0

▶CVEListV5red_hat/hawtio1.4

▶NVDredhat/jboss_fuse6.3

🔴Vulnerability Details

OSV

Insecure cookie sharing in Hawtio↗2022-05-13

▶

GHSA

Insecure cookie sharing in Hawtio↗2022-05-13

▶

CVEList

CVE-2017-2589: It was discovered that the hawtio servlet 1↗2018-07-26

▶

📋Vendor Advisories

Red Hat

hawtio: Proxy is sharing cookies among all the clients↗2017-07-28

▶

💬Community

Bugzilla

CVE-2017-2589 hawtio: Proxy is sharing cookies among all the clients↗2017-01-17

▶