CVE-2017-2589

CRITICAL9.0EPSS 0.17%

Insecure cookie sharing in Hawtio

發布日:2022/5/13修改日:2023/11/8

描述

It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.

受影響套件(1)

Maven/io.hawt:projectfrom 0, < 1.5.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.0	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-2589
PATCHhttps://github.com/hawtio/hawtio
WEBhttps://access.redhat.com/errata/RHSA-2017:1832
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2589
WEBhttps://tadayoshi-sato.medium.com/securing-hawtio-f5fbfd5afcf0