Bug 1419363 (CVE-2017-2617) - CVE-2017-2617 Hawtio: Unrestricted file upload leads to RCE
Summary: CVE-2017-2617 Hawtio: Unrestricted file upload leads to RCE
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-2617
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1418893
TreeView+ depends on / blocked
 
Reported: 2017-02-05 23:11 UTC by Hooman Broujerdi
Modified: 2021-10-21 11:50 UTC (History)
9 users (show)

Fixed In Version: hawtio 1.5.5
Doc Type: If docs needed, set a value
Doc Text:
It was found that a flaw in hawtio could cause remote code execution via file upload. An attacker could use this vulnerability to upload crafted file which could be executed on a target machine where hawtio is deployed.
Clone Of:
Environment:
Last Closed: 2021-10-21 11:50:52 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0319 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.3 R6 security and bug fix update 2018-02-15 00:29:46 UTC

Description Hooman Broujerdi 2017-02-05 23:11:14 UTC
It was found that a flaw in hawtio could cause remote code execution via file upload. An attacker could use this vulnerability to upload crafted file which could be executed on target machine where hawtio is deployed.

Comment 1 Hooman Broujerdi 2017-02-05 23:11:23 UTC
Acknowledgments:

Name: Hooman Broujerdi (Red Hat)

Comment 3 errata-xmlrpc 2018-02-14 19:29:52 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:0319 https://access.redhat.com/errata/RHSA-2018:0319

Comment 4 Joshua Padman 2019-08-06 04:25:28 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss A-MQ 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.


Note You need to log in before you can comment on or make changes to this bug.