[glassfish-dev] Security Vulnerability - Action Required: “Improper Neut

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[glassfish-dev] Security Vulnerability - Action Required: “Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')” vulnerability in some versions of org.glassfish.main.extras:glassfish-embedded-all

From: James Watt <crispy.james.watt@xxxxxxxxx>
Date: Tue, 14 Nov 2023 22:01:59 +0800
Delivered-to: glassfish-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/glassfish-dev/>
List-help: <mailto:glassfish-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/glassfish-dev>, <mailto:glassfish-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/glassfish-dev>, <mailto:glassfish-dev-request@eclipse.org?subject=unsubscribe>

Hi there,

I think the method com.sun.faces.context.PartialViewContextImpl.renderState(FacesContext context) may have an “Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')”vulnerability which is vulnerable in org.glassfish.main.extras:glassfish-embedded-all before 5.1.0. It shares similarities to a recent CVE disclosure CVE-2019-17091 in the project "eclipse-ee4j/mojarra".

The source vulnerability information is as follows:

Vulnerability Detail:

CVE Identifier: CVE-2019-17091

Description: faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.

Reference:https://nvd.nist.gov/vuln/detail/CVE-2019-17091

Patch: https://github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81f
Vulnerability Description: In the vulnerable code, the method retrieves the ClientWindow object from the ExternalContext and writes its id to the response using the writer.write method. This mishandling of the ClientWindow field can potentially allow an attacker to inject malicious script code into the client window ID.The patch in " eclipse-ee4j/mojarra" project addresses the vulnerability by using the writer.writeText method instead of writer.write to write the client window ID. The writer.writeText method properly handles the content and ensures that any special characters are correctly escaped, mitigating the risk of XSS attacks.

Considering the potential risks it may have, I am willing to cooperate with you to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please do not hesitate to reach out to me. Thank you and look forward to hearing from you soon.

Best regards,

Yiheng Cao

Follow-Ups:
- Re: [glassfish-dev] Security Vulnerability - Action Required: “Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')” vulnerability in some versions of org.glassfish.main.extras:glassfish-embedded-all
  - From: David Matejcek

Breadcrumbs