Mgmt API error page vulnerable to cross-site scripting attack

[Holger-Seemueller]

Hi,

our security team reported an issue with our Hawkbit instance:

Request:
POST to /cgi-bin/<script>xss-test<script>.asp

Response:
{"timestamp":"2021-01-11T07:18:10.650+0000","status":404,"error":"Not Found","message":"Not Found","path":"/cgi-bin/<script>xss-test</script>.asp"}

I was able to reproduce this behavior on your sandbox instance. Btw. for GET requests the path is not returned.

Could you please provide a fix or a workaround for that behavior?

Kind regards,
Holger

[schabdo]

Thanks for reporting the issue found by your security team. We'll see this fixed asap

[schabdo]

I would have expected that such special character within the URL are treated by Jetty. Tomcat behaves as expected:

IllegalArgumentException: Invalid character found in the request target [/cgi-bin/<script>xss-test</script>.asp]. 
The valid characters are defined in RFC 7230 and RFC 3986

[Holger-Seemueller]

Thanks for the quick response and reaction!!

[schabdo]

Sure. I filed CVE-2020-27219 for the records