CVE-2019-17573

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-17573
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17573.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-17573
Aliases
Downstream
Published
2020-01-16T18:15:11.587Z
Modified
2026-04-02T01:41:53.794736Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.

References

Affected packages

Git / github.com/apache/cxf

Affected ranges

Type
GIT
Repo
https://github.com/apache/cxf
Events
Introduced
f5ee3b786e22a081121eeebbba6d02fa9f4e7206
Last affected
1fb88a89a94414c55434f734d6fa24d0baaa1284
Introduced
8f90e00177d464541e99ed61238cbc52cff0846d
Fixed
c2c912024f22d498e343bbd52e57a65f3fd4a1b8
Database specific 
{
    "versions": [
        {
            "introduced": "3.2.0"
        },
        {
            "last_affected": "3.2.12"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.3.5"
        }
    ]
}

Affected versions

cxf-3.*
cxf-3.2.0
cxf-3.2.1
cxf-3.2.10
cxf-3.2.11
cxf-3.2.12
cxf-3.2.2
cxf-3.2.3
cxf-3.2.4
cxf-3.2.5
cxf-3.2.6
cxf-3.2.7
cxf-3.2.8
cxf-3.2.9
cxf-3.3.0
cxf-3.3.1
cxf-3.3.2
cxf-3.3.3
cxf-3.3.4
cxf-3.4.0
cxf-3.4.1
cxf-3.4.10
cxf-3.4.2
cxf-3.4.3
cxf-3.4.4
cxf-3.4.5
cxf-3.4.6
cxf-3.4.7
cxf-3.4.8
cxf-3.4.9
cxf-3.5.0
cxf-3.5.1
cxf-3.5.10
cxf-3.5.11
cxf-3.5.2
cxf-3.5.3
cxf-3.5.4
cxf-3.5.5
cxf-3.5.6
cxf-3.5.7
cxf-3.5.8
cxf-3.5.9
cxf-3.6.0
cxf-3.6.1
cxf-3.6.10
cxf-3.6.2
cxf-3.6.3
cxf-3.6.4
cxf-3.6.5
cxf-3.6.6
cxf-3.6.7
cxf-3.6.8
cxf-3.6.9
cxf-4.*
cxf-4.0.0
cxf-4.0.1
cxf-4.0.10
cxf-4.0.11
cxf-4.0.2
cxf-4.0.3
cxf-4.0.4
cxf-4.0.5
cxf-4.0.6
cxf-4.0.7
cxf-4.0.8
cxf-4.0.9
cxf-4.1.0
cxf-4.1.1
cxf-4.1.2
cxf-4.1.3
cxf-4.1.4
cxf-4.1.5
cxf-4.2.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17573.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.3.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.1.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.2.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.2.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.1.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.2.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.2.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.1.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.2.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.2.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "12.0.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "12.1.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.0"
            }
        ]
    }
]