2023-04-24 12:24:31 +02:00
{
"id" : "CVE-2020-13954" ,
"sourceIdentifier" : "security@apache.org" ,
"published" : "2020-11-12T13:15:11.353" ,
2023-11-07 21:03:21 +00:00
"lastModified" : "2023-11-07T03:17:03.450" ,
"vulnStatus" : "Modified" ,
2023-04-24 12:24:31 +02:00
"descriptions" : [
{
"lang" : "en" ,
"value" : "By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573."
} ,
{
"lang" : "es" ,
"value" : "Por defecto, Apache CXF crea una p\u00e1gina /services que contiene una lista de los nombres y direcciones de los endpoints disponibles. Esta p\u00e1gina web es vulnerable a un ataque de tipo Cross-Site Scripting (XSS) reflejado por medio de styleSheetPath, que permite a un actor malicioso inyectar javascript en la p\u00e1gina web. Esta vulnerabilidad afecta a todas las versiones de Apache CXF versiones anteriores a 3.4.1 y 3.3.8. Por favor tome en cuenta que este es un problema independiente de CVE-2019-17573"
}
] ,
"metrics" : {
"cvssMetricV31" : [
{
"source" : "nvd@nist.gov" ,
"type" : "Primary" ,
"cvssData" : {
"version" : "3.1" ,
"vectorString" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" ,
"attackVector" : "NETWORK" ,
"attackComplexity" : "LOW" ,
"privilegesRequired" : "NONE" ,
"userInteraction" : "REQUIRED" ,
"scope" : "CHANGED" ,
"confidentialityImpact" : "LOW" ,
"integrityImpact" : "LOW" ,
"availabilityImpact" : "NONE" ,
"baseScore" : 6.1 ,
"baseSeverity" : "MEDIUM"
} ,
"exploitabilityScore" : 2.8 ,
"impactScore" : 2.7
}
] ,
"cvssMetricV2" : [
{
"source" : "nvd@nist.gov" ,
"type" : "Primary" ,
"cvssData" : {
"version" : "2.0" ,
"vectorString" : "AV:N/AC:M/Au:N/C:N/I:P/A:N" ,
"accessVector" : "NETWORK" ,
"accessComplexity" : "MEDIUM" ,
"authentication" : "NONE" ,
"confidentialityImpact" : "NONE" ,
"integrityImpact" : "PARTIAL" ,
"availabilityImpact" : "NONE" ,
"baseScore" : 4.3
} ,
"baseSeverity" : "MEDIUM" ,
"exploitabilityScore" : 8.6 ,
"impactScore" : 2.9 ,
"acInsufInfo" : false ,
"obtainAllPrivilege" : false ,
"obtainUserPrivilege" : false ,
"obtainOtherPrivilege" : false ,
"userInteractionRequired" : true
}
]
} ,
"weaknesses" : [
{
"source" : "nvd@nist.gov" ,
"type" : "Primary" ,
"description" : [
{
"lang" : "en" ,
"value" : "CWE-79"
}
]
} ,
{
2024-04-04 08:46:00 +00:00
"source" : "security@apache.org" ,
2023-04-24 12:24:31 +02:00
"type" : "Secondary" ,
"description" : [
{
"lang" : "en" ,
"value" : "CWE-79"
}
]
}
] ,
"configurations" : [
{
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*" ,
"versionEndExcluding" : "3.3.8" ,
"matchCriteriaId" : "7B31BB62-D9E6-4D4C-80B3-DA2681089BDE"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*" ,
"versionStartIncluding" : "3.4.0" ,
"versionEndExcluding" : "3.4.1" ,
"matchCriteriaId" : "5737761F-C2F0-4E03-85EF-CF3F5744B594"
}
]
}
]
} ,
{
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "9F4754FB-E3EB-454A-AB1A-AE3835C5350C"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:*" ,
"versionStartIncluding" : "9.6" ,
"matchCriteriaId" : "0C0FF89C-3DC1-4FF4-9447-128028EEA80B"
}
]
}
]
} ,
{
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*" ,
"matchCriteriaId" : "D40AD626-B23A-44A3-A6C0-1FFB4D647AE4"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*" ,
"matchCriteriaId" : "B602F9E8-1580-436C-A26D-6E6F8121A583"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*" ,
"matchCriteriaId" : "77C3DD16-1D81-40E1-B312-50FBD275507C"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*" ,
"matchCriteriaId" : "81DAC8C0-D342-44B5-9432-6B88D389584F"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:oracle:retail_order_broker_cloud_service:15.0:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "3B9763AF-282B-40C7-B35C-4CA8C22FDC76"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:o:oracle:communications_messaging_server:8.0.2:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "E819270D-AA7D-4B0E-990B-D25AB6E46FBC"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "7569C0BD-16C1-441E-BAEB-840C94BE73EF"
}
]
}
]
}
] ,
"references" : [
{
"url" : "http://cxf.apache.org/security-advisories.data/CVE-2020-13954.txt.asc?version=1&modificationDate=1605183670659&api=v2" ,
"source" : "security@apache.org" ,
"tags" : [
"Vendor Advisory"
]
} ,
{
"url" : "http://www.openwall.com/lists/oss-security/2020/11/12/2" ,
"source" : "security@apache.org" ,
"tags" : [
"Mailing List" ,
"Third Party Advisory" ,
"Vendor Advisory"
]
} ,
{
2023-11-07 21:03:21 +00:00
"url" : "https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cannounce.apache.org%3E" ,
"source" : "security@apache.org"
2023-04-24 12:24:31 +02:00
} ,
{
2023-11-07 21:03:21 +00:00
"url" : "https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cdev.cxf.apache.org%3E" ,
"source" : "security@apache.org"
2023-04-24 12:24:31 +02:00
} ,
{
2023-11-07 21:03:21 +00:00
"url" : "https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cusers.cxf.apache.org%3E" ,
"source" : "security@apache.org"
2023-04-24 12:24:31 +02:00
} ,
{
2023-11-07 21:03:21 +00:00
"url" : "https://lists.apache.org/thread.html/r640719c9ce5671f239a6f002c20e14062effe4b318a580b6746aa5ef%40%3Cdev.syncope.apache.org%3E" ,
"source" : "security@apache.org"
2023-04-24 12:24:31 +02:00
} ,
{
2023-11-07 21:03:21 +00:00
"url" : "https://lists.apache.org/thread.html/r81a41a2915985d49bc3ea57dde2018b03584a863878a8532a89f993f%40%3Cusers.cxf.apache.org%3E" ,
"source" : "security@apache.org"
2023-04-24 12:24:31 +02:00
} ,
{
2023-11-07 21:03:21 +00:00
"url" : "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E" ,
"source" : "security@apache.org"
2023-04-24 12:24:31 +02:00
} ,
{
2023-11-07 21:03:21 +00:00
"url" : "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E" ,
"source" : "security@apache.org"
2023-04-24 12:24:31 +02:00
} ,
{
2023-11-07 21:03:21 +00:00
"url" : "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E" ,
"source" : "security@apache.org"
2023-04-24 12:24:31 +02:00
} ,
{
"url" : "https://security.netapp.com/advisory/ntap-20210513-0010/" ,
"source" : "security@apache.org" ,
"tags" : [
"Third Party Advisory"
]
} ,
{
"url" : "https://www.oracle.com/security-alerts/cpuApr2021.html" ,
"source" : "security@apache.org" ,
"tags" : [
"Patch" ,
"Third Party Advisory"
]
} ,
{
"url" : "https://www.oracle.com/security-alerts/cpuapr2022.html" ,
"source" : "security@apache.org" ,
"tags" : [
"Not Applicable" ,
"Third Party Advisory"
]
} ,
{
"url" : "https://www.oracle.com/security-alerts/cpujan2021.html" ,
"source" : "security@apache.org" ,
"tags" : [
"Patch" ,
"Third Party Advisory"
]
} ,
{
"url" : "https://www.oracle.com/security-alerts/cpuoct2021.html" ,
"source" : "security@apache.org" ,
"tags" : [
"Patch" ,
"Third Party Advisory"
]
}
]
}
