Description

The J2EE application use System.exit(), it is undesirable for a web application to attempt to shut down the application container. Accessing a function that can shut down the application is an avenue for denial of service (DoS) attacks.

Impact

- Temporarily or permanently deny access to the application resource.

Recommendation

Delegate shutdown functions only to privileged and duly authorized accesses.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

• Attack vector: N
• Attack complexity: H
• Privileges required: L
• User interaction: N
• Scope: U
• Confidentiality: N
• Integrity: N
• Availability: L

Temporal

• Exploit code maturity: U
• Remediation level: U
• Report confidence: R

Result

• Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:U/RC:R
• Score:
• Base: 3.1
• Temporal: 2.8
• Severity:
• Base: Low
• Temporal: Low

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): N
• Availability (VA): L
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: U

Result 4.0

• Vector string: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
• Score:
• CVSS-BT: 0.6
• Severity:
• CVSS-BT: Low

Requirements

• 164.Use optimized structures
• 167.Close unused resources
• 072.Set maximum response time
• 327.Set a rate limit

Fixes

• Ruby

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.