You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: TimeBase/java/installer/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-transports-http/3.2.6/bcd4ce1e6b8eb5110a12143df64874913b1e6a50/cxf-rt-transports-http-3.2.6.jar
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
mend-for-github-combot
changed the title
CVE-2020-13954 (Medium) detected in cxf-rt-transports-http-3.2.6.jar
CVE-2020-13954 (Medium) detected in cxf-rt-transports-http-3.2.6.jar - autoclosed
Jun 23, 2021
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
CVE-2020-13954 - Medium Severity Vulnerability
Apache CXF Runtime HTTP Transport
Library home page: http://cxf.apache.org
Path to dependency file: TimeBase/java/installer/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-transports-http/3.2.6/bcd4ce1e6b8eb5110a12143df64874913b1e6a50/cxf-rt-transports-http-3.2.6.jar
Dependency Hierarchy:
Found in HEAD commit: 76d75f5eb2971c940ed61bb66cd24661abe01546
Found in base branch: main
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
Publish Date: 2020-11-12
URL: CVE-2020-13954
Base Score Metrics:
Type: Upgrade version
Origin: http://cxf.apache.org/security-advisories.data/CVE-2020-13954.txt.asc?version=1&modificationDate=1605183670659&api=v2
Release Date: 2020-11-12
Fix Resolution: org.apache.cxf:cxf-rt-transports-http:3.3.8, org.apache.cxf:cxf-rt-transports-http:3.4.1
The text was updated successfully, but these errors were encountered: