CVE-2021-36738 - Vulnerability Details - OpenCVE

The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.15929.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache Subscribe	Pluto Subscribe

Configuration 1 [-]

cpe:2.3:a:apache:pluto:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-jg6j-jrxv-2hh9	Cross-site Scripting in Apache Pluto

Fixes

Solution

No solution given by the vendor.

Workaround

* Uninstall the applicant-mvcbean-cdi-jsp-portlet.war artifact -or- * Migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact

References

Link	Providers
https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-01-06T08:50:15

Updated: 2024-08-04T01:01:59.086Z

Reserved: 2021-07-14T00:00:00

Link: CVE-2021-36738

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-01-06T09:15:07.273

Modified: 2024-11-21T06:13:59.363

Link: CVE-2021-36738

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"containers": {"cna": {"affected": [{"product": "Apache Portals", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "org.apache.portals.pluto.demo:applicant-mvcbean-cdi-jsp-portlet 3.1.0"}]}], "descriptions": [{"lang": "en", "value": "The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact"}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-06T08:50:15", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll"}], "source": {"discovery": "UNKNOWN"}, "title": "XSS vulnerability in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet", "workarounds": [{"lang": "en", "value": "* Uninstall the applicant-mvcbean-cdi-jsp-portlet.war artifact\n-or-\n* Migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-36738", "STATE": "PUBLIC", "TITLE": "XSS vulnerability in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Portals", "version": {"version_data": [{"version_affected": "=", "version_name": "org.apache.portals.pluto.demo:applicant-mvcbean-cdi-jsp-portlet", "version_value": "3.1.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll", "refsource": "MISC", "url": "https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "* Uninstall the applicant-mvcbean-cdi-jsp-portlet.war artifact\n-or-\n* Migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact"}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.086Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-36738", "datePublished": "2022-01-06T08:50:15", "dateReserved": "2021-07-14T00:00:00", "dateUpdated": "2024-08-04T01:01:59.086Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:pluto:*:*:*:*:*:*:*:*", "matchCriteriaId": "0711079D-E43A-440A-A38F-2ACE1676653E", "versionEndExcluding": "3.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact"}, {"lang": "es", "value": "Los campos de entrada en la versi\u00f3n JSP de portlet MVCBean CDI de Apache Pluto Applicant son vulnerables a ataques de tipo Cross-Site Scripting (XSS). Los usuarios deben migrar a la versi\u00f3n 3.1.1 del artefacto applicant-mvcbean-cdi-jsp-portlet.war"}], "id": "CVE-2021-36738", "lastModified": "2024-11-21T06:13:59.363", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-06T09:15:07.273", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}