Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [glassfish-dev] Security Vulnerability - Action Required: “Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')” vulnerability in some versions of org.glassfish.main.extras:glassfish-embedded-all
Hi Yiheng,

Thank you for the report, we discussed it internally and decided that we don't plan to release 5.1.1 at this moment, however we can change the decision later.

- In general we recommend to do proper regular updates, so the GlassFish 7.0.10 is the recommended version these days. From this point of view the GF5.1 is obsoleted.
- The https://nvd.nist.gov/vuln/detail/CVE-2019-17091 has just a Medium score, it is not a critical security issue.
- If users need reliable support for older GlassFish versions, we encourage to seek commercial support from companies that provide it: https://glassfish.org/support.html 
- Generally it is possible to release older versions, but there should be some consensus that it is worth of the effort.

If you would find some issue in the latest version, we would really appreciate if you could report it to us.

Best regards,

David Matejcek.
-- 
David Matejcek | OmniFish
david.matejcek@xxxxxxxxxxx
On 14. 11. 23 15:01, James Watt via glassfish-dev wrote:

Hi there,

I think the method com.sun.faces.context.PartialViewContextImpl.renderState(FacesContext context) may have an “Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')”vulnerability which is vulnerable in org.glassfish.main.extras:glassfish-embedded-all before 5.1.0. It shares similarities to a recent CVE disclosure CVE-2019-17091 in the project "eclipse-ee4j/mojarra"

The source vulnerability information is as follows:  

Vulnerability Detail:

CVE Identifier: CVE-2019-17091

Description: faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.

Reference:https://nvd.nist.gov/vuln/detail/CVE-2019-17091

Patch: https://github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81f
Vulnerability Description: In the vulnerable code, the method retrieves the ClientWindow object from the ExternalContext and writes its id to the response using the writer.write method. This mishandling of the ClientWindow field can potentially allow an attacker to inject malicious script code into the client window ID.The patch in " eclipse-ee4j/mojarra" project addresses the vulnerability by using the writer.writeText method instead of writer.write to write the client window ID. The writer.writeText method properly handles the content and ensures that any special characters are correctly escaped, mitigating the risk of XSS attacks.

    Considering the potential risks it may have, I am willing to cooperate with you to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please do not hesitate to reach out to me. Thank you and look forward to hearing from you soon.


Best regards,

Yiheng Cao






_______________________________________________
glassfish-dev mailing list
glassfish-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/glassfish-dev




  

























  Back to the top