What is CVE-2019-17573?

CVE-2019-17573 is a vulnerability in Apache Cxf. Published 2020-01-16.

Is CVE-2019-17573 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Cxf

CVE-2019-17573

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javas…

EPSS: 0.140 (94.5th percentile) — read the EPSS interpretation.

Affected products

Apache Cxf — versions All versions of Apache CXF prior to 3.3.5 and 3.2.12.

Public proof-of-concept exploits

References

[announce] 20200116 [CVE-2019-17573] Apache CXF Reflected XSS in the services listing page (mailing-list, x_refsource_MLIST)
[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html (mailing-list, x_refsource_MLIST)
[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html (mailing-list, x_refsource_MLIST)
www.oracle.com/security-alerts/cpujul2020.html (x_refsource_MISC)
cxf.apache.org/security-advisories.data/CVE-2019-17573.txt.asc (x_refsource_CONFIRM)
[cxf-dev] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath (mailing-list, x_refsource_MLIST)
[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html (mailing-list, x_refsource_MLIST)
[cxf-users] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath (mailing-list, x_refsource_MLIST)
[oss-security] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath (mailing-list, x_refsource_MLIST)
[announce] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2019-17573?: CVE-2019-17573 is a vulnerability in Apache Cxf. Published 2020-01-16.
Is CVE-2019-17573 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.