Miggo Logo
Miggo Vulnerability Database
CVE-2019-12416

CVE-2019-12416: Injection in DeltaSpike

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-12416
GHSA ID
GHSA-rhg5-fqr3-hrf5
EPSS Score
0.74056%
CWE
CWE-74
Published
2/10/2022
Updated
1/20/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.deltaspike:deltaspikemaven<= 1.9.31.9.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided information indicates the vulnerability exists in the windowhandler.js file when using ClientSideWindowStrategy, but the exact functions involved are not specified in the available data. Without access to the specific code changes in the security patches or detailed commit information, it's not possible to confidently identify the vulnerable function names that would appear in a runtime profiler. The CWE-74 suggests improper output neutralization, likely in functions processing window IDs or parameters, but concrete evidence linking to specific function signatures is missing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

w* *ot r*ports *or * inj**tion *tt**ks ***inst t** **lt*Spik* win*ow**n*l*r.js. T*is is only **tiv* i* * **v*lop*r s*l**t** t** *li*ntSi**Win*owStr*t**y w*i** is not t** ****ult.

Reasoning

T** provi*** in*orm*tion in*i**t*s t** vuln*r**ility *xists in t** `win*ow**n*l*r.js` *il* w**n usin* *li*ntSi**Win*owStr*t**y, *ut t** *x**t *un*tions involv** *r* not sp**i*i** in t** *v*il**l* **t*. Wit*out ****ss to t** sp**i*i* *o** ***n**s in t