CVE-2017-2589

HIGH

hawtio < 1.5.0 - Improper Authorization via Shared HttpClient Cookie Store

Title source: llm

Description

It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:1832

Issue Tracking, Vendor Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2589

Scores

CVSS v3 8.7

EPSS 0.0093

EPSS Percentile 55.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Details

CWE

CWE-285

Status published

Products (3)

hawt/hawtio 1.4.0

io.hawt/project 0 - 1.5.0Maven

redhat/jboss_fuse 6.3

Published Jul 26, 2018

Tracked Since Feb 18, 2026