Vulnerability Details CVE-2014-0121
The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.016
EPSS Ranking 80.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1072716
- https://github.com/hawtio/hawtio/commit/5289715e4f2657562fdddcbad830a30969b96e1e
- https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
- https://bugzilla.redhat.com/show_bug.cgi?id=1072716
- https://github.com/hawtio/hawtio/commit/5289715e4f2657562fdddcbad830a30969b96e1e
- https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
Products affected by CVE-2014-0121
-
cpe:2.3:a:hawt:hawtio:0.1
-
cpe:2.3:a:hawt:hawtio:1.0
-
cpe:2.3:a:hawt:hawtio:1.1
-
cpe:2.3:a:hawt:hawtio:1.2.0
-
cpe:2.3:a:hawt:hawtio:1.2.1
-
cpe:2.3:a:hawt:hawtio:1.2.2
-
cpe:2.3:a:redhat:jboss_fuse:6.1.0