Vulnerability Details : CVE-2017-2617
hawtio before version 1.5.5 is vulnerable to remote code execution via file upload. An attacker could use this vulnerability to upload a crafted file which could be executed on a target machine where hawtio is deployed.
Vulnerability category: Input validationExecute code
Products affected by CVE-2017-2617
- cpe:2.3:a:hawt.io:hawtio:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-2617
0.73%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-2617
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
|
7.6
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H |
2.8
|
4.7
|
Red Hat, Inc. |
CWE ids for CVE-2017-2617
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: secalert@redhat.com (Secondary)
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-2617
-
http://www.securityfocus.com/bid/96036
Hawtio CVE-2017-2617 Arbitrary File Upload VulnerabilityThird Party Advisory;VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2617
1419363 – (CVE-2017-2617) CVE-2017-2617 Hawtio: Unrestricted file upload leads to RCEIssue Tracking;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0319
RHSA-2018:0319 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to