1898235 – (CVE-2020-13954) CVE-2020-13954 cxf: XSS via the styleSheetPath

Bug 1898235 (CVE-2020-13954) - CVE-2020-13954 cxf: XSS via the styleSheetPath

Summary: CVE-2020-13954 cxf: XSS via the styleSheetPath

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-13954
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1898236
TreeView+	depends on / blocked

Reported:	2020-11-16 16:46 UTC by Guilherme de Almeida Suckevicz
Modified:	2022-01-28 08:19 UTC (History)
CC List:	67 users (show)
Fixed In Version:	apache cxf 3.3.8, apache cxf 3.4.1
Clone Of:
Environment:
Last Closed:	2021-08-11 19:28:45 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:3140	0	None	None	None	2021-08-11 18:23:36 UTC

Description Guilherme de Almeida Suckevicz 2020-11-16 16:46:25 UTC

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.

References:
http://cxf.apache.org/security-advisories.data/CVE-2020-13954.txt.asc
http://cxf.apache.org/security-advisories.html

Comment 1 Chess Hazlett 2020-11-17 23:13:07 UTC

Mitigation:

Users can disable the service listing altogether by setting the "hide-service-list-page" servlet parameter to "true".

Comment 5 errata-xmlrpc 2021-08-11 18:23:33 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140

Comment 6 Product Security DevOps Team 2021-08-11 19:28:45 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13954

Note You need to log in before you can comment on or make changes to this bug.

aboyko
aileenc
akoufoud
alazarot
almorale
anstephe
asoldano
atangrin
avibelli
bbaranow
bgeorges
bibryam
bmaxwell
brian.stansberry
cdewolf
chazlett
cmoulliard
darran.lofthouse
dkreling
dosoudil
drieden
eleandro
etirelli
ganandan
ggaughan
gmalinko
hbraun
ibek
ikanello
iweiss
janstey
jawilson
jbalunas
jnethert
jochrist
jolee
jpallich
jperkins
jschatte
jstastny
jwon
krathod
kverlaen
kwills
lgao
lthon
mnovotny
msochure
msvehla
mszynkie
nwallace
pantinor
pdrozd
pgallagh
pjindal
pmackay
rguimara
rrajasek
rruss
rstancel
rsvoboda
rsynek
sdaley
smaestri
sthorger
tom.jenkinson
vhalbert