CVE-2017-2589

CRITICAL9.0EPSS 0.17%

Insecure cookie sharing in Hawtio

Published: 5/13/2022Modified: 11/8/2023

Description

It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.

Affected packages (1)

Maven/io.hawt:projectfrom 0, < 1.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.0	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-2589
PATCHhttps://github.com/hawtio/hawtio
WEBhttps://access.redhat.com/errata/RHSA-2017:1832
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2589
WEBhttps://tadayoshi-sato.medium.com/securing-hawtio-f5fbfd5afcf0