Command injection

Affecting org.apache.deltaspike.modules:deltaspike-jsf-module-impl artifact, versions [,1.9.3)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.apache.deltaspike.modules:deltaspike-jsf-module-impl is a suite of portable CDI Extensions intended to make application development easier when working with CDI and Java EE.

Affected versions of this package are vulnerable to Command injection in windowhandler.js. This is only possible if a developer selected the ClientSideWindowStrategy which is not the default setting.

Remediation

Upgrade org.apache.deltaspike.modules:deltaspike-jsf-module-impl to version 1.9.3 or higher.

References

CVSS Score

5.4
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Credit
Christian Beikov, Matthias Walliczek
CVE
CVE-2019-12416
CWE
CWE-78
Snyk ID
SNYK-JAVA-ORGAPACHEDELTASPIKEMODULES-560845
Disclosed
19 Mar, 2020
Published
19 Mar, 2020