CVE-2018-1000129 - OpenCVE

An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Jolokia	Jolokia
Redhat	Jboss Amq Jboss Fuse

Configuration 1 [-]

cpe:2.3:a:jolokia:jolokia:1.3.7:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat JBoss A-MQ 6.3
jolokia-core	cpe:/a:redhat:jboss_amq:6.3	RHSA-2018:3817	2018-12-11T00:00:00Z
Red Hat JBoss Fuse 6.3
jolokia-core	cpe:/a:redhat:jboss_fuse:6.3	RHSA-2018:3817	2018-12-11T00:00:00Z
Red Hat JBoss Fuse 7
jolokia-core	cpe:/a:redhat:jboss_fuse:7	RHSA-2018:2669	2018-09-11T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2018:2669
https://access.redhat.com/errata/RHSA-2018:3817
https://github.com/rhuss/jolokia/commit/5895d5c137c335e6b473e9dcb9baf748851bbc5f#diff-f19898247eddb55de6400489bff748ad
https://jolokia.org/#Security_fixes_with_1.5.0
https://nvd.nist.gov/vuln/detail/CVE-2018-1000129
https://www.cve.org/CVERecord?id=CVE-2018-1000129

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-03-14T13:00:00

Updated: 2024-08-05T12:33:49.277Z

Reserved: 2018-03-14T00:00:00

Link: CVE-2018-1000129

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-03-14T13:29:00.237

Modified: 2019-03-07T20:12:51.313

Link: CVE-2018-1000129

Redhat

Severity : Moderate

Publid Date: 2018-02-08T00:00:00Z

Links: CVE-2018-1000129 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-02-22T00:00:00", "datePublic": "2018-01-24T00:00:00", "descriptions": [{"lang": "en", "value": "An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-12T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rhuss/jolokia/commit/5895d5c137c335e6b473e9dcb9baf748851bbc5f#diff-f19898247eddb55de6400489bff748ad"}, {"name": "RHSA-2018:3817", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3817"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jolokia.org/#Security_fixes_with_1.5.0"}, {"name": "RHSA-2018:2669", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2669"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2018-02-22", "ID": "CVE-2018-1000129", "REQUESTER": "mhopkins@gdssecurity.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/rhuss/jolokia/commit/5895d5c137c335e6b473e9dcb9baf748851bbc5f#diff-f19898247eddb55de6400489bff748ad", "refsource": "CONFIRM", "url": "https://github.com/rhuss/jolokia/commit/5895d5c137c335e6b473e9dcb9baf748851bbc5f#diff-f19898247eddb55de6400489bff748ad"}, {"name": "RHSA-2018:3817", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3817"}, {"name": "https://jolokia.org/#Security_fixes_with_1.5.0", "refsource": "CONFIRM", "url": "https://jolokia.org/#Security_fixes_with_1.5.0"}, {"name": "RHSA-2018:2669", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2669"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:33:49.277Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/rhuss/jolokia/commit/5895d5c137c335e6b473e9dcb9baf748851bbc5f#diff-f19898247eddb55de6400489bff748ad"}, {"name": "RHSA-2018:3817", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:3817"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jolokia.org/#Security_fixes_with_1.5.0"}, {"name": "RHSA-2018:2669", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2669"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000129", "datePublished": "2018-03-14T13:00:00", "dateReserved": "2018-03-14T00:00:00", "dateUpdated": "2024-08-05T12:33:49.277Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jolokia:jolokia:1.3.7:*:*:*:*:*:*:*", "matchCriteriaId": "745BFA9B-A6E7-4830-BF57-B8CD3E68E051", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) en la versi\u00f3n 1.3.7 del agente Jolokia, en el servlet HTTP, que permite que un atacante ejecute JavaScript malicioso en el navegador de la v\u00edctima."}], "id": "CVE-2018-1000129", "lastModified": "2019-03-07T20:12:51.313", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-14T13:29:00.237", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2669"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3817"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rhuss/jolokia/commit/5895d5c137c335e6b473e9dcb9baf748851bbc5f#diff-f19898247eddb55de6400489bff748ad"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://jolokia.org/#Security_fixes_with_1.5.0"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2018:3817", "cpe": "cpe:/a:redhat:jboss_amq:6.3", "package": "jolokia-core", "product_name": "Red Hat JBoss A-MQ 6.3", "release_date": "2018-12-11T00:00:00Z"}, {"advisory": "RHSA-2018:3817", "cpe": "cpe:/a:redhat:jboss_fuse:6.3", "package": "jolokia-core", "product_name": "Red Hat JBoss Fuse 6.3", "release_date": "2018-12-11T00:00:00Z"}, {"advisory": "RHSA-2018:2669", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "jolokia-core", "product_name": "Red Hat JBoss Fuse 7", "release_date": "2018-09-11T00:00:00Z"}], "bugzilla": {"description": "jolokia: Cross site scripting in the HTTP servlet", "id": "1559317", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1559317"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser."], "name": "CVE-2018-1000129", "package_state": [{"cpe": "cpe:/a:redhat:jboss_dev_studio:11.", "fix_state": "Not affected", "package_name": "jolokia-core", "product_name": "JBoss Developer Studio 11"}, {"cpe": "cpe:/a:redhat:openstack:7", "fix_state": "Not affected", "package_name": "opendaylight", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)"}, {"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Out of support scope", "package_name": "jolokia-core", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "jolokia-core", "product_name": "Red Hat JBoss A-MQ 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "jolokia-client-java", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Affected", "package_name": "jolokia-core", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "jolokia-core", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:fuse_integration_services:2", "fix_state": "Affected", "package_name": "jolokia-core", "product_name": "Red Hat JBoss Fuse Integration Service 2"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "impact": "low", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:11", "fix_state": "Will not fix", "impact": "low", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 11 (Ocata)"}, {"cpe": "cpe:/a:redhat:openstack:12", "fix_state": "Will not fix", "impact": "low", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 12 (Pike)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Affected", "impact": "low", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Not affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "impact": "low", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2018-02-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1000129\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000129\nhttps://jolokia.org/#Security_fixes_with_1.5.0"], "statement": "Red Hat Product Security has rated this issue as having security impact of Low for:\n* Red Hat OpenStack Platform 9.0 (Mitaka)\n* Red Hat OpenStack Platform 10.0 (Newton) \n* Red Hat OpenStack Platform 11.0 (Ocata)\n* Red Hat OpenStack Platform 12.0 (Pike)\nAlthough the affected code is present in shipped packages, data returned by Jolokia is correctly processed and invalid data is not used. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Moderate", "upstream_fix": "jolokia-core 1.5.0"}