8.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-10899

GHSA ID

GHSA-xcxf-7q4p-cj26

EPSS Score

0.8341%

CWE

CWE-352

Published

5/24/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-10899

CVE-2018-10899: Cross-Site Request Forgery in Jolokia

A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.

(GitHub Advisory)

8.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-10899

GHSA ID

GHSA-xcxf-7q4p-cj26

EPSS Score

0.8341%

CWE

CWE-352

Published

5/24/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jolokia:jolokia-core	maven	>= 1.2, < 1.6.1	1.6.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper CORS origin validation when strict checking was enabled. Key evidence includes:

CorsChecker.check() pre-patch allowed null origins during strict checks
HttpRequestHandler.checkAccess() skipped origin validation when header was missing
Parameter renaming in BackendManager.isOriginAllowed() indicates logic flaw These functions would appear in stack traces when processing malicious CSRF requests due to their role in origin validation and security decision-making.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in Joloki* v*rsions *rom *.* to ***or* *.*.*. *****t** v*rsions *r* vuln*r**l* to * syst*m-wi** *SR*. T*is *ol*s tru* *or prop*rly *on*i*ur** inst*n**s wit* stri*t ****kin* *or ori*in *n* r***rr*r *****rs. T*is *oul* r*sult in * R*mo

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *ORS ori*in v*li**tion w**n stri*t ****kin* w*s *n**l**. K*y *vi**n** in*lu**s: *. *ors****k*r.****k() pr*-p*t** *llow** null ori*ins *urin* stri*t ****ks *. *ttpR*qu*st**n*l*r.****k****ss() skipp** ori*in v*li

8.1

Basic Information

Concerned about an active attack path?

CVE-2018-10899: Cross-Site Request Forgery in Jolokia

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI