Lucene search

[email protected]CVE-2019-17091

HistoryOct 02, 2019 - 2:15 p.m.

CVE-2019-17091

2019-10-0214:15:00

CWE-79

[email protected]

web.nvd.nist.gov

cve-2019-17091

reflected xss

mojarra

eclipse

nvd

security vulnerability

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7.2 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

55.3%

JSON

faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.

CPENameOperatorVersion
eclipse:mojarraeclipse mojarralt2.3.10
oracle:mojarra_javaserver_facesoracle mojarra javaserver faceslt2.2.20
oracle:retail_service_backboneoracle retail service backboneeq15.0
oracle:retail_integration_busoracle retail integration buseq15.0
oracle:retail_merchandising_systemoracle retail merchandising systemeq16.0
oracle:application_testing_suiteoracle application testing suiteeq13.2.0.1
oracle:application_testing_suiteoracle application testing suiteeq13.3.0.1
oracle:secure_global_desktoporacle secure global desktopeq5.4
oracle:health_sciences_information_manageroracle health sciences information managereq3.0
oracle:retail_integration_busoracle retail integration buseq16.0

CPE	Name	Operator	Version
eclipse:mojarra	eclipse mojarra	lt	2.3.10
oracle:mojarra_javaserver_faces	oracle mojarra javaserver faces	lt	2.2.20
oracle:retail_service_backbone	oracle retail service backbone	eq	15.0
oracle:retail_integration_bus	oracle retail integration bus	eq	15.0
oracle:retail_merchandising_system	oracle retail merchandising system	eq	16.0
oracle:application_testing_suite	oracle application testing suite	eq	13.2.0.1
oracle:application_testing_suite	oracle application testing suite	eq	13.3.0.1
oracle:secure_global_desktop	oracle secure global desktop	eq	5.4
oracle:health_sciences_information_manager	oracle health sciences information manager	eq	3.0
oracle:retail_integration_bus	oracle retail integration bus	eq	16.0

Rows per page:

1-10 of 401

References

bugs.eclipse.org/bugs/show_bug.cgi?id=548244

github.com/eclipse-ee4j/mojarra/commit/8f70f2bd024f00ecd5b3dcca45df73edda29dcee

github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81f

github.com/eclipse-ee4j/mojarra/compare/2.3.9-RELEASE...2.3.10-RELEASE

github.com/eclipse-ee4j/mojarra/files/3039198/advisory.txt

github.com/eclipse-ee4j/mojarra/issues/4556

github.com/eclipse-ee4j/mojarra/pull/4567

github.com/javaserverfaces/mojarra/commit/ae1c234d0a6750822ac69d4ae26d90e3571f27fe

github.com/javaserverfaces/mojarra/commit/f61935cd39f34329fbf27b1972a506fbdd0ab4d4

github.com/javaserverfaces/mojarra/compare/2.2.19...2.2.20

www.oracle.com/security-alerts/cpuapr2020.html

www.oracle.com/security-alerts/cpujan2020.html

www.oracle.com/security-alerts/cpujan2021.html

www.oracle.com/security-alerts/cpujan2022.html

www.oracle.com/security-alerts/cpujul2020.html

www.oracle.com/security-alerts/cpuoct2020.html

www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7.2 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

55.3%

JSON

Related for CVE-2019-17091

prion1 osv2 debiancve1 symantec1 github1 nessus4 kaspersky1 oracle8