{"api_version":"1","generated_at":"2026-05-13T11:43:30+00:00","cve":"CVE-2014-0120","urls":{"html":"https://cve.report/CVE-2014-0120","api":"https://cve.report/api/cve/CVE-2014-0120.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2014-0120","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2014-0120"},"summary":{"title":"CVE-2014-0120","description":"Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running \"shutdown -f.\"","state":"PUBLISHED","assigner":"redhat","published_at":"2017-12-29 22:29:00","updated_at":"2025-04-20 01:37:25"},"problem_types":["CWE-352","n/a"],"metrics":[{"version":"3.0","source":"nvd@nist.gov","type":"Primary","score":"8.8","severity":"HIGH","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"6.8","severity":"","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1072681","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1072681","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"1072681 – (CVE-2014-0120) CVE-2014-0120 hawtio-karaf-terminal: cross-site request forgery (CSRF)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113","name":"https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"Add a LoginTokenServlet that plugins can use to fetch a token, and le… · hawtio/hawtio@b4e23e0 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf","name":"https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Third Party Advisory"],"title":"","mime":"application/pdf","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2014-0120","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0120","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2014","cve_id":"120","vulnerable":"1","versionEndIncluding":"1.2.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"hawt","cpe5":"hawtio","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"120","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_fuse","cpe6":"6.1.0","cpe7":"beta","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T09:05:38.398Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1072681"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2014-03-04T00:00:00.000Z","descriptions":[{"lang":"en","value":"Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running \"shutdown -f.\""}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-12-29T21:57:01.000Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"tags":["x_refsource_MISC"],"url":"https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113"},{"tags":["x_refsource_CONFIRM"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1072681"}]}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2014-0120","datePublished":"2017-12-29T22:00:00.000Z","dateReserved":"2013-12-03T00:00:00.000Z","dateUpdated":"2024-08-06T09:05:38.398Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2017-12-29 22:29:00","lastModifiedDate":"2025-04-20 01:37:25","problem_types":["CWE-352","n/a"],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:hawt:hawtio:*:*:*:*:*:*:*:*","versionEndIncluding":"1.2.2","matchCriteriaId":"E2D6477F-AC38-49D3-B617-77FF372375D8"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:jboss_fuse:6.1.0:beta:*:*:*:*:*:*","matchCriteriaId":"522C7490-D292-43FF-ABA4-FB1FBA3A36DC"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2014","CveId":"120","Ordinal":"1","Title":"CVE-2014-0120","CVE":"CVE-2014-0120","Year":"2014"},"notes":[{"CveYear":"2014","CveId":"120","Ordinal":"1","NoteData":"Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running \"shutdown -f.\"","Type":"Description","Title":"CVE-2014-0120"},{"CveYear":"2014","CveId":"120","Ordinal":"2","NoteData":"2017-12-29","Type":"Other","Title":"Published"},{"CveYear":"2014","CveId":"120","Ordinal":"3","NoteData":"2017-12-29","Type":"Other","Title":"Modified"}]}}}