By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.
References
Link Providers
http://cxf.apache.org/security-advisories.data/CVE-2019-17573.txt.asc?version=1&modificationDate=1579178542000&api=v2 cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2020/11/12/2 cve-icon cve-icon
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cannounce.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cdev.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cusers.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r81a41a2915985d49bc3ea57dde2018b03584a863878a8532a89f993f%40%3Cusers.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rf3b50583fefce2810cbd37c3d358cbcd9a03e750005950bf54546194%40%3Cannounce.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2019-17573 cve-icon
https://www.cve.org/CVERecord?id=CVE-2019-17573 cve-icon
https://www.oracle.com/security-alerts/cpuApr2021.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujul2020.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2020-01-16T17:50:42

Updated: 2024-08-05T01:47:12.612Z

Reserved: 2019-10-14T00:00:00

Link: CVE-2019-17573

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-01-16T18:15:11.587

Modified: 2023-11-07T03:06:21.737

Link: CVE-2019-17573

cve-icon Redhat

Severity : Moderate

Publid Date: 2020-01-16T00:00:00Z

Links: CVE-2019-17573 - Bugzilla