{ "threat_severity" : "Important", "public_date" : "2017-07-28T00:00:00Z", "bugzilla" : { "description" : "hawtio: Proxy is sharing cookies among all the clients", "id" : "1413905", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1413905" }, "cvss3" : { "cvss3_base_score" : "8.7", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-285", "details" : [ "It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.", "It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies." ], "acknowledgement" : "This issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat).", "affected_release" : [ { "product_name" : "Red Hat JBoss A-MQ 6.3", "release_date" : "2017-08-10T00:00:00Z", "advisory" : "RHSA-2017:1832", "cpe" : "cpe:/a:redhat:jboss_amq:6.3" }, { "product_name" : "Red Hat JBoss Fuse 6.3", "release_date" : "2017-08-10T00:00:00Z", "advisory" : "RHSA-2017:1832", "cpe" : "cpe:/a:redhat:jboss_fuse:6.3" } ], "package_state" : [ { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Affected", "package_name" : "hawtio", "cpe" : "cpe:/a:redhat:jboss_amq:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Affected", "package_name" : "hawtio", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat OpenShift Enterprise 2", "fix_state" : "Under investigation", "package_name" : "hawtio", "cpe" : "cpe:/a:redhat:openshift:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-2589\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-2589" ], "name" : "CVE-2017-2589", "csaw" : false }