CVE-2020-27219

MEDIUM LAB

Eclipse Hawkbit <0.3.0M7 - Info Disclosure

Title source: llm

Description

In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client.

Exploits (1)

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/eclipse__hawkbit_CVE-2020-27219_0-3-0M6

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://bugs.eclipse.org/bugs/show_bug.cgi?id=570289

[Third Party Advisory] https://github.com/eclipse/hawkbit/issues/1067

Scores

CVSS v3 6.1

EPSS 0.0032

EPSS Percentile 54.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull hawkbit/hawkbit-update-server:0.2.0

docker pull hawkbit/hawkbit-update-server:0.2.0M4

docker pull hawkbit/hawkbit-update-server:0.2.0M9

docker pull hawkbit/hawkbit-update-server:0.2.1

docker pull hawkbit/hawkbit-update-server:0.2.2

+9 more images

https://github.com/shoucheng3/eclipse__hawkbit_CVE-2020-27219_0-3-0M6

View in Library

Details

CWE

CWE-79

Status published

Products (3)

eclipse/hawkbit 0.3.0 m1 (6 CPE variants)

eclipse/hawkbit < 0.2.5

org.eclipse.hawkbit/hawkbit-parent 0 - 0.3.0M7Maven

Published Jan 14, 2021

Tracked Since Feb 18, 2026