CVE-2017-2594 - OpenCVE

hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, and 1.5 is vulnerable to a path traversal that leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Hawt	Hawtio

Configuration 1 [-]

cpe:2.3:a:hawt:hawtio:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/95793	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:1832	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2594	Issue Tracking Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2018-05-08T17:00:00

Updated: 2018-05-09T09:57:01

Reserved: 2016-12-01T00:00:00

Link: CVE-2017-2594

JSON object: View

NVD Information

Status : Modified

Published: 2018-05-08T17:29:00.670

Modified: 2019-10-09T23:26:53.837

Link: CVE-2017-2594

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "hawtio", "vendor": "unspecified", "versions": [{"status": "affected", "version": "hawtio 2.0-beta-1"}, {"status": "affected", "version": " hawtio 2.0-beta-2 hawtio 2.0-M1"}, {"status": "affected", "version": " hawtio 2.0-M2"}, {"status": "affected", "version": " hawtio 2.0-M3"}, {"status": "affected", "version": " hawtio 1.5"}]}], "datePublic": "2017-08-10T00:00:00", "descriptions": [{"lang": "en", "value": "hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, and 1.5 is vulnerable to a path traversal that leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-05-09T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2594"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://access.redhat.com/errata/RHSA-2017:1832"}, {"name": "95793", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95793"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2017-2594", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "hawtio", "version": {"version_data": [{"version_value": "hawtio 2.0-beta-1"}, {"version_value": " hawtio 2.0-beta-2 hawtio 2.0-M1"}, {"version_value": " hawtio 2.0-M2"}, {"version_value": " hawtio 2.0-M3"}, {"version_value": " hawtio 1.5"}]}}]}, "vendor_name": ""}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, and 1.5 is vulnerable to a path traversal that leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root."}]}, "impact": {"cvss": [[{"vectorString": "5.4/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-209"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2594", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2594"}, {"name": "https://access.redhat.com/errata/RHSA-2017:1832", "refsource": "CONFIRM", "url": "https://access.redhat.com/errata/RHSA-2017:1832"}, {"name": "95793", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95793"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-2594", "datePublished": "2018-05-08T17:00:00", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2018-05-09T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hawt:hawtio:*:*:*:*:*:*:*:*", "matchCriteriaId": "5505C9D3-0CEE-4C5B-8F1B-B12DF491B37D", "versionEndIncluding": "1.4.68", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, and 1.5 is vulnerable to a path traversal that leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root."}, {"lang": "es", "value": "hawtio en versiones anteriores a la 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3 y 1.5 es vulnerable a un salto de directorio que conduce a una excepci\u00f3n de puntero NULL con una stacktrace completa. Un atacante podr\u00eda utilizar este fallo para reunir informaci\u00f3n no publicada de la ra\u00edz de hawtio."}], "id": "CVE-2017-2594", "lastModified": "2019-10-09T23:26:53.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2018-05-08T17:29:00.670", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95793"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1832"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2594"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "secalert@redhat.com", "type": "Secondary"}]}