Miggo Logo

CVE-2020-13928: Cross-site scripting in Apache Atlas

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.82363%
Published
2/10/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.atlas:apache-atlasmaven< 2.1.02.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in two phases: 1) Unsanitized input storage during search saving, and 2) Unsafe output generation during rendering. The identified controller method aligns with the first phase by handling search persistence, while the renderer method corresponds to the second phase. Both would appear in exploitation call stacks - the controller when malicious input is submitted, and the renderer when stored XSS payloads are displayed. Confidence is medium due to lack of direct patch evidence, but grounded in the advisory's description of vulnerable operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** *tl*s ***or* *.*.* *ont*in * XSS vuln*r**ility. W*il* s*vin* s**r** or r*n**rin* *l*m*nts v*lu*s *r* not s*nitiz** *orr**tly *n* ****us* o* t**t it tri***rs t** XSS vuln*r**ility.

Reasoning

T** vuln*r**ility m*ni**sts in two p**s*s: *) Uns*nitiz** input stor*** *urin* s**r** s*vin*, *n* *) Uns*** output **n*r*tion *urin* r*n**rin*. T** i**nti*i** *ontroll*r m*t*o* *li*ns wit* t** *irst p**s* *y **n*lin* s**r** p*rsist*n**, w*il* t** r*n