Miggo Logo

CVE-2020-21485: Alluxio Cross Site Scripting vulnerability

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.21274%
Published
6/20/2023
Updated
11/8/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.alluxio:alluxio-parentmaven<= 1.8.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the handling of the 'path' parameter within the browse functionality. The GitHub issue (#10552) demonstrates that unescaped user input from the URL parameter is reflected in the HTML response. In Java web applications using servlets, this typically occurs when request parameters are directly written to the response stream without using output encoding methods like ESAPI.encoder().encodeForHTML(). The WebInterfaceBrowseServlet would be responsible for rendering the browse interface and processing the 'path' parameter, making it the most likely location for missing sanitization logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* vuln*r**ility in *lluxio v.*.*.* *llows * r*mot* *tt**k*r to *x**ut** *r*itr*ry *o** vi* t** p*t* p*r*m*t*r in t** *rows* *o*r* *ompon*nt.

Reasoning

T** vuln*r**ility m*ni**sts in t** **n*lin* o* t** 'p*t*' p*r*m*t*r wit*in t** *rows* *un*tion*lity. T** *it*u* issu* (#*****) **monstr*t*s t**t un*s**p** us*r input *rom t** URL p*r*m*t*r is r**l**t** in t** *TML r*spons*. In J*v* w** *ppli**tions u