GHSA-rcvx-rmvf-mxch

Suggest an improvement
Source
https://github.com/advisories/GHSA-rcvx-rmvf-mxch
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-rcvx-rmvf-mxch/GHSA-rcvx-rmvf-mxch.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rcvx-rmvf-mxch
Aliases
Published
2022-02-09T22:19:44Z
Modified
2023-11-08T04:03:21.315466Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Cross-site Scripting in Eclipse Hawkbit
Details

In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client.

Database specific 
{
    "nvd_published_at": "2021-01-14T23:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2021-04-06T21:53:29Z",
    "github_reviewed": true
}
References

Affected packages

Maven / org.eclipse.hawkbit:hawkbit-parent

Package

Name
org.eclipse.hawkbit:hawkbit-parent
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.hawkbit/hawkbit-parent

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.3.0M7

Affected versions

0.*

0.2.0M1
0.2.0M2
0.2.0M3
0.2.0M4
0.2.0M5
0.2.0M6
0.2.0M7
0.2.0M8
0.2.0M9
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.3.0M1
0.3.0M2
0.3.0M3
0.3.0M4
0.3.0M5
0.3.0M6

Database specific

last_known_affected_version_range

"<= 0.3.0M6"