CVE-2017-2589: Cross-Site Request Forgery (CSRF)

July 26, 2018 (updated October 9, 2019)

It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.

References

access.redhat.com/errata/RHSA-2017:1832
bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2589
nvd.nist.gov/vuln/detail/CVE-2017-2589

Code Behaviors & Features

Detect and mitigate CVE-2017-2589 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →