Miggo Logo

CVE-2016-6812: Improper Neutralization of Input During Web Page Generation in Apache CXF

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.9068%
Published
5/13/2022
Updated
12/21/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.cxf:cxf-coremaven<= 3.0.113.0.12
org.apache.cxf:cxf-coremaven>= 3.1.0, <= 3.1.83.1.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from three key functions:

  1. BaseUrlHelper.getBaseURL() failed to remove matrix parameters from request URLs, allowing them to persist in the base URL.
  2. FormattedServiceListWriter used this contaminated base URL to build absolute endpoint addresses without sanitization, directly embedding user-controlled input in HTML.
  3. ServiceListGeneratorServlet constructed stylesheet links from unsanitized request URIs. The commit diffs show explicit fixes in these areas: matrix parameter stripping in BaseUrlHelper, URL concatenation fixes in FormattedServiceListWriter, and URI sanitization in ServiceListGeneratorServlet - all directly addressing the XSS vector described in CVE-2016-6812.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *TTP tr*nsport mo*ul* in *p**** *X* prior to *.*.** *n* *.*.x prior to *.*.* us*s *orm*tt**S*rvi**ListWrit*r to provi** *n *TML p*** w*i** lists t** n*m*s *n* **solut* URL ***r*ss*s o* t** *v*il**l* s*rvi** *n*points. T** mo*ul* **l*ul*t*s t** **

Reasoning

T** vuln*r**ility st*ms *rom t*r** k*y *un*tions: *. **s*Url**lp*r.**t**s*URL() **il** to r*mov* m*trix p*r*m*t*rs *rom r*qu*st URLs, *llowin* t**m to p*rsist in t** **s* URL. *. *orm*tt**S*rvi**ListWrit*r us** t*is *ont*min*t** **s* URL to *uil* **s