CVE-2016-6812: Improper Neutralization of Input During Web Page Generation in Apache CXF
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.9068%
CWE
Published
5/13/2022
Updated
12/21/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.cxf:cxf-core | maven | <= 3.0.11 | 3.0.12 |
org.apache.cxf:cxf-core | maven | >= 3.1.0, <= 3.1.8 | 3.1.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from three key functions:
- BaseUrlHelper.getBaseURL() failed to remove matrix parameters from request URLs, allowing them to persist in the base URL.
- FormattedServiceListWriter used this contaminated base URL to build absolute endpoint addresses without sanitization, directly embedding user-controlled input in HTML.
- ServiceListGeneratorServlet constructed stylesheet links from unsanitized request URIs. The commit diffs show explicit fixes in these areas: matrix parameter stripping in BaseUrlHelper, URL concatenation fixes in FormattedServiceListWriter, and URI sanitization in ServiceListGeneratorServlet - all directly addressing the XSS vector described in CVE-2016-6812.