Vulnerability Description
Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code to the builtin rpcz page. An attacker that can send http request to bRPC server with rpcz enabled can inject arbitrary XSS code to the builtin rpcz page. Solution (choose one of three): 1. upgrade to bRPC > 1.6.0, download link: https://dist.apache.org/repos/dist/release/brpc/1.6.1/ 2. If you are using an old version of bRPC and hard to upgrade, you can apply this patch: https://github.com/apache/brpc/pull/2411 3. disable rpcz feature
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Brpc | < 1.6.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/10/16/8Mailing ListThird Party Advisory
- https://lists.apache.org/thread/6syxv32fqgl30brfpttrk4rfsb983hl4Mailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2023/10/16/8Mailing ListThird Party Advisory
- https://lists.apache.org/thread/6syxv32fqgl30brfpttrk4rfsb983hl4Mailing ListVendor Advisory
FAQ
What is CVE-2023-45757?
CVE-2023-45757 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code to the builtin rpcz page. An attacker that can send http request to bRPC server with rpcz enabled can...
How severe is CVE-2023-45757?
CVE-2023-45757 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-45757?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Brpc.