CVE-2009-4188

HP Operations Dashboard - RCE

Title source: llm

Description

HP Operations Dashboard has a default password of j2deployer for the j2deployer account, which allows remote attackers to execute arbitrary code via a session that uses the manager role to conduct unrestricted file upload attacks against the /manager servlet in the Tomcat servlet container. NOTE: this might overlap CVE-2009-3098.

Exploits (4)

metasploit WORKING POC EXCELLENT

by jduck · rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_mgr_deploy.rb

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_mgr_upload.rb

View Code ZIP pw:eip

exploitdb WORKING POC

rubyremotemultiple

https://www.exploit-db.com/exploits/16317

View on exploitdb

exploitdb WRITEUP VERIFIED

by Intevydis · textremotemultiple

https://www.exploit-db.com/exploits/33211

View Code ZIP pw:eip

References (2)

[Various Sources] http://www.intevydis.com/blog/?p=87

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/36258

Scores

EPSS 0.8783

EPSS Percentile 99.5%

Classification

CWE

CWE-255

Status draft

Affected Products (1)

hp/operations_dashboard

Timeline

Published Dec 03, 2009

Tracked Since Feb 18, 2026