io.hawt:hawtio-system@1.4.58 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the io.hawt:hawtio-system package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Arbitrary File Write via Archive Extraction (Zip Slip)

io.hawt:hawtio-system is a hawtio package for creating a Java modular web console.

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the unzip method. It is possible to input malicious zip files, which can result in the high-risk files after decompression being stored in any location, even leading to file overwrite.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

Upgrade io.hawt:hawtio-system to version 3.0-M7 or higher.

[,3.0-M7)
  • H
Directory Traversal

io.hawt:hawtio-system is a hawtio package for creating a Java modular web console.

Affected versions of this package are vulnerable to Directory Traversal that can lead to a NullPointerException with a full stacktrace. An attacker can use this to gather undisclosed information from within hawtio's root.

How to fix Directory Traversal?

Upgrade io.hawt:hawtio-system to version 1.5.0 or higher.

[,1.5.0)
  • C
Information Exposure

io.hawt:hawtio-system is a hawtio package for creating a Java modular web console.

Affected versions of this package are vulnerable to Information Exposure due to the usage of a single HttpClient instance to proxy requests with a persistent cookie store. This means that all clients using that proxy share the same cookies.

How to fix Information Exposure?

Upgrade io.hawt:hawtio-system to version 1.5.0 or higher.

[,1.5.0)
  • M
Cross-site Scripting (XSS)

io.hawt:hawtio-system is a hawtio package for creating a Java modular web console.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Multiple XSS issues exist within hawtio including the following areas:

  • {host}/jmx/attributes?tab=camel&con={host}&nid=root-org
  • {host}/hawtio/jolokia/?maxDepth=7&maxCollectionSize=500&ignoreErrors=true&canonicalNaming=false

How to fix Cross-site Scripting (XSS)?

There is no fixed version for io.hawt:hawtio-system.

[0,)
  • M
Server-Side Request Forgery (SSRF)

io.hawt:hawtio-system is a hawtio package for creating a Java modular web console.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). It is possible for remote attacker to trigger an HTTP request from an affected server to an arbitrary host via the initial /proxy/ substring of a URI.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade io.hawt:hawtio-system to version 2.5.0 or higher.

[,2.5.0)
  • H
Arbitrary Code Execution

io.hawt:hawtio-system is a lightweight and modular HTML5 web console with lots of plugins for managing your Java stuff.

Affected versions of this package are vulnerable to Arbitrary Code Execution via file upload. An attacker could use this vulnerability to upload a crafted file which could be executed on a target machine where hawtio is deployed.

How to fix Arbitrary Code Execution?

Upgrade io.hawt:hawtio-system to version 1.5.5 or higher.

[,1.5.5)