CVE-2019-17573

{"id": "CVE-2019-17573", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2020-01-16T18:15:11.587", "references": [{"url": "http://cxf.apache.org/security-advisories.data/CVE-2019-17573.txt.asc?version=1&modificationDate=1579178542000&api=v2", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2020/11/12/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cannounce.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cdev.cxf.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cusers.cxf.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r81a41a2915985d49bc3ea57dde2018b03584a863878a8532a89f993f%40%3Cusers.cxf.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rf3b50583fefce2810cbd37c3d358cbcd9a03e750005950bf54546194%40%3Cannounce.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E", "source": "security@apache.org"}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable."}, {"lang": "es", "value": "Por defecto, Apache CXF crea una p\u00e1gina /services que contiene una lista de los nombres y direcciones de endpoint disponibles. Esta p\u00e1gina web es vulnerable a un ataque de tipo Cross-Site Scripting (XSS) reflejado, que permite a un actor malicioso inyectar JavaScript en la p\u00e1gina web. Por favor tenga en cuenta que el ataque explota una caracter\u00edstica que t\u00edpicamente no est\u00e1 presente en los navegadores modernos, que eliminan segmentos de puntos antes de enviar la petici\u00f3n. Sin embargo, las aplicaciones m\u00f3viles pueden ser vulnerables."}], "lastModified": "2023-11-07T03:06:21.737", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "984D3764-51E7-43E3-B5A3-41CECC982409", "versionEndIncluding": "3.2.12", "versionStartIncluding": "3.2.0"}, {"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "291B8116-D0B0-4A72-BD51-B941D2129943", "versionEndExcluding": "3.3.5", "versionStartIncluding": "3.3.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A3622F5-5976-4BBC-A147-FC8A6431EA79"}, {"criteria": "cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0C57FD3A-0CC1-4BA9-879A-8C4A40234162"}, {"criteria": "cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "698FB6D0-B26F-4760-9B9B-1C65FBFF2126"}, {"criteria": "cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F1D64BC-17BF-4DAE-B5FC-BC41F9C12DFD"}, {"criteria": "cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB43DFD4-D058-4001-BD19-488E059F4532"}, {"criteria": "cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "086E2E5C-44EB-4C07-B298-C04189533996"}, {"criteria": "cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AA77B994-3872-4059-854B-0974AA5593D4"}, {"criteria": "cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5682DAEB-3810-4541-833A-568C868BCE0B"}, {"criteria": "cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "01BC9AED-F81D-4344-AD97-EEF19B6EA8C7"}, {"criteria": "cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8198E762-9AD9-452B-B1AF-516E52436B7D"}, {"criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6762F207-93C7-4363-B2F9-7A7C6F8AF993"}, {"criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B74B912-152D-4F38-9FC1-741D6D0B27FC"}, {"criteria": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE8CF045-09BB-4069-BCEC-496D5AE3B780"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}