Miggo Logo

CVE-2019-15477: Cross-site Scripting in Jooby

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.54523%
Published
8/27/2019
Updated
9/11/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jooby:joobymaven< 1.6.41.6.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stemmed from two key issues: 1) The default error handler (DefHandler.handle) failed to apply HTML escaping to error message/reason fields when rendering error pages, as shown by the patch adding xssFilter and escaper. 2) Multiple locations passed req.path(true) (raw path data) to error constructors, introducing unvalidated user input into error messages. The high-confidence vulnerable function is DefHandler.handle due to direct lack of output encoding, while the path-related functions are medium confidence as they contributed attack vectors but weren't the ultimate XSS sink.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Joo*y ***or* *.*.* **s XSS vi* t** ****ult *rror **n*l*r.

Reasoning

T** *or* vuln*r**ility st*mm** *rom two k*y issu*s: *) T** ****ult *rror **n*l*r (`*****n*l*r.**n*l*`) **il** to *pply *TML *s**pin* to *rror m*ss***/r**son *i*l*s w**n r*n**rin* *rror p***s, *s s*own *y t** p*t** ***in* `xss*ilt*r` *n* `*s**p*r`. *)