CVE-2017-2589
Insecure cookie sharing in Hawtio
9.0
CRITICAL
CVSS 3.1
EPSS 0.17%
Description
It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.
How to fix CVE-2017-2589
To remediate CVE-2017-2589, upgrade the affected package to a fixed version below.
- —upgrade to 1.5.0 or later
Is CVE-2017-2589 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.5.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.0 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |