====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN624
_____________________________________________________________________

DATE                : 13/11/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache CXF versions prior to
                                   3.3.8, 3.4.1.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202011.mbox/%3cCAB8XdGBevyA-oXzkZZ97+DZRXNpaMD0XSyo6yCLRmUkNhr6cXQ@mail.gmail.com%3e
_____________________________________________________________________

Description:

By default, Apache CXF creates a /services page containing a listing of
the available endpoint names and addresses. This webpage is vulnerable
to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath,
which allows a malicious actor to inject javascript into the web page.

This vulnerability affects all versions of Apache CXF prior to 3.4.1 and
3.3.8.

Please note that this is a separate issue to CVE-2019-17573.


Workaround:

Users of Apache CXF should update to either 3.3.8 or 3.4.1.
Alternatively, it is possible to disable the service listing altogether
by setting the "hide-service-list-page" servlet parameter to "true".

Credit:

Thanks to Ryan Lambeth for reporting this issue.

References: http://cxf.apache.org/security-advisories.html


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================