GHSA-mg46-f9h5-g27x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mg46-f9h5-g27x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-mg46-f9h5-g27x/GHSA-mg46-f9h5-g27x.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mg46-f9h5-g27x
- Aliases
- Published
- 2023-04-13T12:30:35Z
- Modified
- 2023-11-08T04:10:50.021536Z
- Severity
-
- 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation
- Details
-
The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power.
Please update to Apache Sling Engine version 2.14.0 or newer and enable the "Check Content-Type overrides" configuration option.
- Database specific
{ "nvd_published_at": "2023-04-13T11:15:00Z", "github_reviewed_at": "2023-04-14T16:14:10Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Maven / org.apache.sling:org.apache.sling.engine
Package
- Name
- org.apache.sling:org.apache.sling.engine
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.sling/org.apache.sling.engine
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.14.0
Affected versions
2.*
2.0.2-incubator
2.0.4-incubator
2.0.6
2.1.0
2.2.0
2.2.2
2.2.4
2.2.6
2.2.8
2.2.10
2.3.0
2.3.2
2.3.4
2.3.6
2.3.8
2.3.10
2.4.0
2.4.2
2.4.4
2.4.6
2.5.0
2.6.0
2.6.2
2.6.4
2.6.6
2.6.8
2.6.10
2.6.12
2.6.14
2.6.16
2.6.18
2.6.20
2.6.22
2.7.2
2.7.4
2.7.6
2.7.8
2.7.10
2.8.0
2.9.0
2.9.2
2.10.2
2.11.0
2.12.0
2.12.2
2.13.0