CVE-2016-6812
XSS vulnerability in cxf-core (Maven)
What is CVE-2016-6812 About?
This vulnerability involves a Cross-Site Scripting (XSS) risk in Apache CXF due to improper handling of an HTTP request's base URL. Attackers can inject matrix parameters into the request URL, which are then reflected back to the client in the service list page. This makes the vulnerability relatively easy to exploit, as it relies on malformed input to trigger the reflection of malicious scripts.
Affected Software
- org.apache.cxf:cxf-core
- <3.0.12
- >3.1.0, <3.1.9
Technical Details
The HTTP transport module in Apache CXF versions prior to 3.0.12 and 3.1.x prior to 3.1.9 utilizes FormattedServiceListWriter to generate an HTML page detailing available service endpoints. This component calculates the base URL for these endpoints from the current HttpServletRequest. An attacker can inject unexpected matrix parameters into the request URL, which the FormattedServiceListWriter then incorporates into the absolute URLs displayed on the services list page. When a client accesses this page, these injected parameters, potentially containing malicious scripts, are rendered within the HTML, leading to a reflected XSS attack against the client's browser if not properly sanitized.
What is the Impact of CVE-2016-6812?
Successful exploitation may allow attackers to execute arbitrary script code in the context of the user's browser, steal session cookies, deface web pages, or redirect users to malicious sites.
What is the Exploitability of CVE-2016-6812?
Exploiting this vulnerability involves crafting a malicious URL with injected matrix parameters. This is a low-complexity attack requiring no authentication or special privileges. It can be performed remotely by enticing a user to click a specially crafted link or by tricking a browser into making a request to the vulnerable endpoint. The main constraint is that the attacker needs to ensure the victim accesses the generated service list page. The presence of a reflected HTML output based on user-controlled input significantly increases the likelihood of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| shoucheng3 | Link | PoC for CVE-2016-6812 |
What are the Available Fixes for CVE-2016-6812?
About the Fix from Resolved Security
This patch ensures that matrix parameters (indicated by semicolons) in URLs are stripped out before generating service base URLs and service list links. By doing so, it prevents attackers from abusing matrix parameters to manipulate URLs and potentially spoof or bypass access controls, directly addressing the issue in CVE-2016-6812. The fix sanitizes URL construction, eliminating unwanted and potentially dangerous URL data.
Available Upgrade Options
- org.apache.cxf:cxf-core
- <3.0.12 → Upgrade to 3.0.12
- org.apache.cxf:cxf-core
- >3.1.0, <3.1.9 → Upgrade to 3.1.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://github.com/apache/cxf/commit/32e89366e2daa5670ac7a5c5c19f0bf9329a4c1e
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://github.com/apache/cxf/commit/1f824d8039c7a42a4aa46f844e6c800e1143c7e7
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2016-6812
- https://github.com/apache/cxf/commit/1be97cb13aef121b799b1be4d9793c0e8b925a12
- https://github.com/apache/cxf/commit/a30397b0
- https://issues.apache.org/jira/browse/CXF-6216
- http://cxf.apache.org/security-advisories.data/CVE-2016-6812.txt.asc
What are Similar Vulnerabilities to CVE-2016-6812?
Similar Vulnerabilities: CVE-2017-1000048 , CVE-2017-1000049 , CVE-2017-1000050 , CVE-2017-1000051 , CVE-2017-1000052
