CVE-2016-6812: Cross-site Scripting

August 10, 2017 (updated January 5, 2018)

The HTTP transport module in Apache CXF uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest which is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.

References

cxf.apache.org/security-advisories.data/CVE-2016-6812.txt.asc
www.securityfocus.com/bid/97582
www.securitytracker.com/id/1037543
issues.apache.org/jira/browse/CXF-6216
nvd.nist.gov/vuln/detail/CVE-2016-6812

Detect and mitigate CVE-2016-6812 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →