Vulnerability Description
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Cxf | >= 3.2.0, <= 3.2.12 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Element Manager | 8.1.1 |
| Oracle | Communications Session Report Manager | 8.1.1 |
| Oracle | Communications Session Route Manager | 8.1.1 |
| Oracle | Flexcube Private Banking | 12.0.0 |
| Oracle | Retail Order Broker | 15.0 |
Related Weaknesses (CWE)
References
- http://cxf.apache.org/security-advisories.data/CVE-2019-17573.txt.asc?version=1&Vendor Advisory
- http://www.openwall.com/lists/oss-security/2020/11/12/2Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de10
- https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd1003
- https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd1003
- https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd1003
- https://lists.apache.org/thread.html/r81a41a2915985d49bc3ea57dde2018b03584a86387
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fd
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba7
- https://lists.apache.org/thread.html/rf3b50583fefce2810cbd37c3d358cbcd9a03e75000
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a7
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatchThird Party Advisory
- http://cxf.apache.org/security-advisories.data/CVE-2019-17573.txt.asc?version=1&Vendor Advisory
FAQ
What is CVE-2019-17573?
CVE-2019-17573 is a vulnerability with a CVSS score of 6.1 (MEDIUM). By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which a...
How severe is CVE-2019-17573?
CVE-2019-17573 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-17573?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Cxf, Oracle Commerce Guided Search, Oracle Communications Element Manager, Oracle Communications Session Report Manager, Oracle Communications Session Route Manager.