Miggo Logo
Miggo Vulnerability Database
CVE-2017-2594

CVE-2017-2594: Path Traversal in io.hawt:project

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-2594
GHSA ID
GHSA-9g8w-pjpr-prr4
EPSS Score
0.83165%
CWE
CWE-22
Published
5/13/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.hawt:projectmaven< 1.5.01.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves path traversal leading to information disclosure via stack traces. Hawtio's ResourceServlet handles static resource requests and would be the logical location for path processing. The lack of path normalization/sanitization in the vulnerable version would allow '../' sequences to access unauthorized paths. When the resolved path doesn't exist, a NullPointerException occurs during resource handling, leaking stack traces. The function signature matches the expected resource handling mechanism described in advisories, and the CWE-22 classification confirms path traversal context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**wtio ***or* v*rsions *.*-**t*-*, *.*-**t*-*, *.*-m*, *.*-m*, *.*-m*, *n* *.* *r* vuln*r**l* to * p*t* tr*v*rs*l t**t l***s to * NullPoint*r*x**ption wit* * *ull st**ktr***. *n *tt**k*r *oul* us* t*is *l*w to **t**r un*is*los** in*orm*tion *rom wit*

Reasoning

T** vuln*r**ility involv*s p*t* tr*v*rs*l l***in* to in*orm*tion *is*losur* vi* st**k tr***s. **wtio's `R*sour**S*rvl*t` **n*l*s st*ti* r*sour** r*qu*sts *n* woul* ** t** lo*i**l lo**tion *or p*t* pro**ssin*. T** l**k o* p*t* norm*liz*tion/s*nitiz*ti