Lucene search

K

GitHub Advisory DatabaseGHSA-64X2-GQ24-75PV

HistoryApr 22, 2021 - 4:15 p.m.

Cross-site scripting in Apache CXF

2021-04-2216:15:23

CWE-79

GitHub Advisory Database

github.com

58

apache cxf

xss

vulnerability

web page

javascript

cve-2019-17573

software

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.19

Percentile

96.4%

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.

Affected configurations

Vulners

Node

org.apache.cxfcxfRange3.4.0–3.4.1

OR

org.apache.cxfcxfRange<3.3.8

OR

org.apache.cxfapache-cxfRange3.4.0–3.4.1

OR

org.apache.cxfapache-cxfRange<3.3.8

VendorProductVersionCPE
org.apache.cxfcxf*cpe:2.3:a:org.apache.cxf:cxf:*:*:*:*:*:*:*:*
org.apache.cxfapache-cxf*cpe:2.3:a:org.apache.cxf:apache-cxf:*:*:*:*:*:*:*:*

References

cxf.apache.org/security-advisories.data/CVE-2020-13954.txt.asc?version=1&modificationDate=1605183670659&api=v2

www.openwall.com/lists/oss-security/2020/11/12/2

github.com/advisories/GHSA-64x2-gq24-75pv

lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec@%3Cannounce.apache.org%3E

lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec@%3Cdev.cxf.apache.org%3E

lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec@%3Cusers.cxf.apache.org%3E

lists.apache.org/thread.html/r640719c9ce5671f239a6f002c20e14062effe4b318a580b6746aa5ef@%3Cdev.syncope.apache.org%3E

lists.apache.org/thread.html/r81a41a2915985d49bc3ea57dde2018b03584a863878a8532a89f993f@%3Cusers.cxf.apache.org%3E

lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2020-13954

security.netapp.com/advisory/ntap-20210513-0010/

www.oracle.com/security-alerts/cpuApr2021.html

www.oracle.com/security-alerts/cpuapr2022.html

www.oracle.com/security-alerts/cpujan2021.html

www.oracle.com/security-alerts/cpuoct2021.html

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.19

Percentile

96.4%

Related for GHSA-64X2-GQ24-75PV

redhatcve2 nvd2 prion2 cvelist2 osv4 cve2 ibm30 nessus7 veracode2 redhat17 github1 oracle5