CVE-2017-2594: Path Traversal in io.hawt:project
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.83165%
CWE
Published
5/13/2022
Updated
2/2/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
io.hawt:project | maven | < 1.5.0 | 1.5.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability involves path traversal leading to information disclosure via stack traces. Hawtio's ResourceServlet
handles static resource requests and would be the logical location for path processing. The lack of path normalization/sanitization in the vulnerable version would allow '../' sequences to access unauthorized paths. When the resolved path doesn't exist, a NullPointerException
occurs during resource handling, leaking stack traces. The function
signature matches the expected resource handling mechanism described in advisories, and the CWE-22
classification confirms path traversal context.