GHSA-mg46-f9h5-g27x

Suggest an improvement
Source
https://github.com/advisories/GHSA-mg46-f9h5-g27x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-mg46-f9h5-g27x/GHSA-mg46-f9h5-g27x.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-mg46-f9h5-g27x
Aliases
Published
2023-04-13T12:30:35Z
Modified
2023-11-01T05:00:20.654617Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation
Details

The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power.

Please update to Apache Sling Engine version 2.14.0 or newer and enable the "Check Content-Type overrides" configuration option.

Database specific
{
    "nvd_published_at": "2023-04-13T11:15:00Z",
    "github_reviewed_at": "2023-04-14T16:14:10Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Maven / org.apache.sling:org.apache.sling.engine

Package

Name
org.apache.sling:org.apache.sling.engine
View open source insights on deps.dev
Purl
pkg:maven/org.apache.sling/org.apache.sling.engine

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.14.0

Affected versions

2.*

2.0.2-incubator
2.0.4-incubator
2.0.6
2.1.0
2.2.0
2.2.2
2.2.4
2.2.6
2.2.8
2.2.10
2.3.0
2.3.2
2.3.4
2.3.6
2.3.8
2.3.10
2.4.0
2.4.2
2.4.4
2.4.6
2.5.0
2.6.0
2.6.2
2.6.4
2.6.6
2.6.8
2.6.10
2.6.12
2.6.14
2.6.16
2.6.18
2.6.20
2.6.22
2.7.2
2.7.4
2.7.6
2.7.8
2.7.10
2.8.0
2.9.0
2.9.2
2.10.2
2.11.0
2.12.0
2.12.2
2.13.0