CVE-2019-17573

EPSS 15.54%
Published 16.01.2020 18:15:11
Last modified 21.11.2024 04:32:33
Source security@apache.org
Teams watchlist Login
Open Login

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.

Affected products Warnungen 0 Metrics 3 CWE 1 References 17

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Cxf Version >= 3.2.0 <= 3.2.12

Apache ≫ Cxf Version >= 3.3.0 < 3.3.5

Oracle ≫ Commerce Guided Search Version11.3.2

Oracle ≫ Communications Element Manager Version8.1.1

Oracle ≫ Communications Element Manager Version8.2.0

Oracle ≫ Communications Element Manager Version8.2.1

Oracle ≫ Communications Session Report Manager Version8.1.1

Oracle ≫ Communications Session Report Manager Version8.2.0

Oracle ≫ Communications Session Report Manager Version8.2.1

Oracle ≫ Communications Session Route Manager Version8.1.1

Oracle ≫ Communications Session Route Manager Version8.2.0

Oracle ≫ Communications Session Route Manager Version8.2.1

Oracle ≫ Flexcube Private Banking Version12.0.0

Oracle ≫ Flexcube Private Banking Version12.1.0

Oracle ≫ Retail Order Broker Version15.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	15.54%	0.943

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

https://www.oracle.com/security-alerts/cpujul2020.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch

Third Party Advisory

http://cxf.apache.org/security-advisories.data/CVE-2019-17573.txt.asc?version=1&modificationDate=1579178542000&api=v2