{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-03-05T00:00:00", "descriptions": [{"lang": "en", "value": "The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-29T21:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hawtio/hawtio/commit/5289715e4f2657562fdddcbad830a30969b96e1e"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072716"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:05:38.810Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/hawtio/hawtio/commit/5289715e4f2657562fdddcbad830a30969b96e1e"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072716"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-0121", "datePublished": "2017-12-29T22:00:00", "dateReserved": "2013-12-03T00:00:00", "dateUpdated": "2024-08-06T09:05:38.810Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hawt:hawtio:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2D6477F-AC38-49D3-B617-77FF372375D8", "versionEndIncluding": "1.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_fuse:6.1.0:beta:*:*:*:*:*:*", "matchCriteriaId": "522C7490-D292-43FF-ABA4-FB1FBA3A36DC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter."}, {"lang": "es", "value": "El terminal de administrador en Hawt.io no requiere autenticaci\u00f3n, lo que permite que atacantes remotos ejecuten comandos arbitrarios mediante el par\u00e1metro k."}], "id": "CVE-2014-0121", "lastModified": "2018-01-11T13:49:05.210", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-12-29T22:29:00.317", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072716"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/hawtio/hawtio/commit/5289715e4f2657562fdddcbad830a30969b96e1e"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by David Jorm (Red Hat Security Response Team).", "bugzilla": {"description": "hawtio-karaf-terminal: remote code execution due to missing authentication", "id": "1072716", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072716"}, "csaw": false, "cvss": {"cvss_base_score": "6.5", "cvss_scoring_vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "status": "draft"}, "cwe": "CWE-306", "details": ["The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter."], "name": "CVE-2014-0121", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "fuse", "product_name": "Red Hat JBoss Enterprise Web Server 1"}], "public_date": "2014-04-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-0121\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0121"], "statement": "Not vulnerable. This issue only affects Red Hat JBoss Fuse 6.1.0 Beta. It is resolved in the general availability release of Red Hat JBoss Fuse 6.1.0. Earlier versions of Red Hat JBoss Fuse are not affected, as they did not include the hawtio-karaf-terminal component.", "threat_severity": "Critical"}