Maven package
org.jolokia/jolokia-core
pkg:maven/org.jolokia/jolokia-core
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-10899 | — | >= 1.2, < 1.6.1 | 1.6.1 | Aug 1, 2019 | A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack. | ||
| CVE-2018-1000130 | — | >= 1.3.7, < 1.5.0 | 1.5.0 | Mar 14, 2018 | A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server. | ||
| CVE-2018-1000129 | — | >= 1.3.7, < 1.5.0 | 1.5.0 | Mar 14, 2018 | An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser. | ||
| CVE-2014-0168 | — | < 1.2.1 | 1.2.1 | Oct 6, 2014 | Cross-site request forgery (CSRF) vulnerability in Jolokia before 1.2.1 allows remote attackers to hijack the authentication of users for requests that execute MBeans methods via a crafted web page. |
- CVE-2018-10899Aug 1, 2019affected >= 1.2, < 1.6.1fixed 1.6.1
A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.
- CVE-2018-1000130Mar 14, 2018affected >= 1.3.7, < 1.5.0fixed 1.5.0
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.
- CVE-2018-1000129Mar 14, 2018affected >= 1.3.7, < 1.5.0fixed 1.5.0
An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.
- CVE-2014-0168Oct 6, 2014affected < 1.2.1fixed 1.2.1
Cross-site request forgery (CSRF) vulnerability in Jolokia before 1.2.1 allows remote attackers to hijack the authentication of users for requests that execute MBeans methods via a crafted web page.