[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [glassfish-dev] Security Vulnerability - Action Required: “Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')” vulnerability in some versions of org.glassfish.main.extras:glassfish-embedded-all
|
Hi Yiheng,
Thank you for the report, we discussed
it internally and decided that we don't plan to release 5.1.1 at
this moment, however we can change the decision later.
- In general we recommend to do proper
regular updates, so the GlassFish 7.0.10 is the recommended
version these days. From this point of view the GF5.1 is
obsoleted.
- Generally it is possible to release older
versions, but there should be some consensus that it is worth of
the effort.
If you would find some issue in the
latest version, we would really appreciate if you could report it
to us.
Best regards,
David Matejcek.
On 14. 11. 23 15:01, James Watt via
glassfish-dev wrote:
Hi
there,
I
think the method
com.sun.faces.context.PartialViewContextImpl.renderState(FacesContext
context) may have an “Improper Neutralization of Input During
Web Page Generation ('Cross-site Scripting')”vulnerability
which is vulnerable in
org.glassfish.main.extras:glassfish-embedded-all before 5.1.0.
It shares similarities to a recent CVE disclosure
CVE-2019-17091 in the project "eclipse-ee4j/mojarra".
The
source vulnerability information is as follows: ![]()
![]()
![]()
Vulnerability Detail:
CVE Identifier: CVE-2019-17091
Description: faces/context/PartialViewContextImpl.java
in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before
2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows
Reflected XSS because a client window field is mishandled.
Reference:https://nvd.nist.gov/vuln/detail/CVE-2019-17091
Patch:
https://github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81f
Vulnerability Description: In the vulnerable code, the
method retrieves the ClientWindow object from the
ExternalContext and writes its id to the response using the
writer.write method. This mishandling of the ClientWindow
field can potentially allow an attacker to inject malicious
script code into the client window ID.The patch in "
eclipse-ee4j/mojarra" project addresses the
vulnerability by using the writer.writeText method instead of
writer.write to write the client window ID. The
writer.writeText method properly handles the content and
ensures that any special characters are correctly escaped,
mitigating the risk of XSS attacks.
Considering the potential risks it may have, I am willing to
cooperate with you to verify, address, and report the
identified vulnerability promptly through responsible means.
If you require any further information or assistance, please
do not hesitate to reach out to me. Thank you and look forward
to hearing from you soon.
Best
regards,
Yiheng
Cao
![]()
_______________________________________________
glassfish-dev mailing list
glassfish-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/glassfish-dev