Miggo Logo
Miggo Vulnerability Database
CVE-2023-27094

CVE-2023-27094: Hippo4j privilege escalation issue

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-27094
GHSA ID
GHSA-fvx4-8h2x-gm9q
EPSS Score
0.42339%
CWE
CWE-269
Published
3/23/2023
Updated
2/26/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
cn.hippo4j:hippo4j-allmaven<= 1.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub issue #1059 explicitly identifies the deletePool method in ThreadPoolController as having missing authentication checks. The vulnerability allows privilege escalation by letting low-privileged users execute destructive operations (thread pool deletion) through an unprotected endpoint. The CWE-269 mapping confirms this is an improper privilege management issue where access controls are missing on a sensitive operation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* *oun* in Op*n*oo*y *ippo*j v.*.*.* *llows *tt**k*rs to *s**l*t* privil***s vi* t** T*r***Pool*ontroll*r o* t** t*n*nt M*n***m*nt mo*ul*.

Reasoning

T** *it*u* issu* #**** *xpli*itly i**nti*i*s t** `**l*t*Pool` m*t*o* in `T*r***Pool*ontroll*r` *s **vin* missin* *ut**nti**tion ****ks. T** vuln*r**ility *llows privil*** *s**l*tion *y l*ttin* low-privil**** us*rs *x**ut* **stru*tiv* op*r*tions (t*r*