Miggo Logo
Miggo Vulnerability Database
CVE-2017-3165

CVE-2017-3165: Cross-site Scripting In Apache Brooklyn

5.4

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-3165
GHSA ID
GHSA-j3g9-3fvv-gqfp
EPSS Score
0.5022%
CWE
CWE-79
Published
5/17/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.brooklyn:brooklynmaven< 0.10.00.10.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped entity names in server-generated content. The primary indicators are:

  1. The exploit example shows XSS via entity name injection
  2. The patch added 'correct escaping' per the advisory
  3. REST API endpoints (EntityResource) and UI rendering components (EntityRenderer) are the most likely locations for unescaped output of user-controlled entity names
  4. High confidence in EntityResource.get as REST endpoints are explicitly mentioned in the CVE description
  5. Medium confidence in EntityRenderer due to typical UI rendering patterns, though without patch details

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** *rooklyn ***or* *.**.*, t** R*ST s*rv*r is vuln*r**l* to *ross-sit* s*riptin* w**r* on* *ut**nti**t** us*r **n **us* s*ripts to run in t** *rows*r o* *not**r us*r *ut*oriz** to ****ss t** *irst us*r's r*sour**s. T*is is *u* to improp*r *s**

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** *ntity n*m*s in s*rv*r-**n*r*t** *ont*nt. T** prim*ry in*i**tors *r*: *. T** *xploit *x*mpl* s*ows XSS vi* *ntity n*m* inj**tion *. T** p*t** ***** '*orr**t *s**pin*' p*r t** **visory *. R*ST *PI *n*points (*nti