Vulnerability Name:

CVE-2019-17091 (CCN-168364)

Assigned:2019-04-03
Published:2019-04-03
Updated:2022-04-06
Summary:faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2019-17091

Source: CCN
Type: Oracle CPUOct2019
Oracle Critical Patch Update Advisory - October 2019

Source: MISC
Type: Exploit, Issue Tracking, Patch, Vendor Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=548244

Source: XF
Type: UNKNOWN
eclipse-cve201917091-xss(168364)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/eclipse-ee4j/mojarra/commit/8f70f2bd024f00ecd5b3dcca45df73edda29dcee

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81f

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/eclipse-ee4j/mojarra/compare/2.3.9-RELEASE...2.3.10-RELEASE

Source: MISC
Type: Exploit, Third Party Advisory
https://github.com/eclipse-ee4j/mojarra/files/3039198/advisory.txt

Source: CCN
Type: mojarra GIT Repository
HIGH-LEVEL VULNERABILITY WITHIN MOJARRA JSF V2.2 #4556

Source: MISC
Type: Third Party Advisory
https://github.com/eclipse-ee4j/mojarra/issues/4556

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/eclipse-ee4j/mojarra/pull/4567

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/javaserverfaces/mojarra/commit/ae1c234d0a6750822ac69d4ae26d90e3571f27fe

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/javaserverfaces/mojarra/commit/f61935cd39f34329fbf27b1972a506fbdd0ab4d4

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/javaserverfaces/mojarra/compare/2.2.19...2.2.20

Source: CCN
Type: Oracle CPUApr2020
Oracle Critical Patch Update Advisory - April 2020

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: Oracle CPUJan2020
Oracle Critical Patch Update Advisory - January 2020

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html

Source: CCN
Type: Oracle CPUJan2021
Oracle Critical Patch Update Advisory - January 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: Oracle CPUJul2020
Oracle Critical Patch Update Advisory - July 2020

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html

Source: CCN
Type: Oracle CPUOct2020
Oracle Critical Patch Update Advisory - October 2020

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:eclipse:mojarra:*:*:*:*:*:*:*:* (Version >= 2.3.0 and < 2.3.10)
  • OR cpe:/a:oracle:mojarra_javaserver_faces:*:*:*:*:*:*:*:* (Version >= 2.2.0 and < 2.2.20)

    • Configuration 2:
  • cpe:/a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_product_manufacturing:2.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_product_manufacturing:2.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.4.0.5)
  • OR cpe:/a:oracle:communications_network_integrity:7.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:healthcare_data_repository:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* (Version >= 15.1.0.0 and <= 15.2.18.7)
  • OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* (Version >= 16.1.0.0 and <= 16.2.19.0)
  • OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* (Version >= 17.1.0.0 and <= 17.12.15.0)
  • OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* (Version >= 18.1.0.0 and <= 18.8.15.0)
  • OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_advanced_inventory_planning:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_bulk_data_integration:16.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_invoice_matching:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_merchandising_system:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_store_inventory_management:14.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_store_inventory_management:14.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_store_inventory_management:15.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_store_inventory_management:16.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:secure_global_desktop:5.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:time_and_labor:*:*:*:*:*:*:*:* (Version >= 12.2.6 and <= 12.2.11)

    • Configuration CCN 1:
  • cpe:/a:eclipse:mojarra:2.3.9:*:*:*:*:*:*:*
  • AND
  • cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_merchandising_system:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_price_management:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_advanced_inventory_planning:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_product_manufacturing:2.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_product_manufacturing:2.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:healthcare_data_repository:7.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    eclipse mojarra *
    oracle mojarra javaserver faces *
    oracle application testing suite 13.2.0.1
    oracle application testing suite 13.3.0.1
    oracle banking enterprise product manufacturing 2.7.0
    oracle banking enterprise product manufacturing 2.8.0
    oracle communications diameter signaling router *
    oracle communications network integrity 7.3.5
    oracle communications network integrity 7.3.6
    oracle communications unified inventory management 7.3.0
    oracle communications unified inventory management 7.4.0
    oracle enterprise data quality 12.2.1.3.0
    oracle health sciences information manager 3.0
    oracle healthcare data repository 7.0
    oracle primavera p6 enterprise project portfolio management *
    oracle primavera p6 enterprise project portfolio management *
    oracle primavera p6 enterprise project portfolio management *
    oracle primavera p6 enterprise project portfolio management *
    oracle primavera p6 enterprise project portfolio management 19.12.0.0
    oracle rapid planning 12.1
    oracle rapid planning 12.2
    oracle retail advanced inventory planning 15.0
    oracle retail advanced inventory planning 16.0
    oracle retail assortment planning 16.0.3
    oracle retail bulk data integration 16.0.3.0
    oracle retail financial integration 15.0
    oracle retail financial integration 16.0
    oracle retail integration bus 15.0
    oracle retail integration bus 16.0
    oracle retail invoice matching 16.0
    oracle retail merchandising system 16.0
    oracle retail service backbone 15.0
    oracle retail service backbone 16.0
    oracle retail store inventory management 14.0.4
    oracle retail store inventory management 14.1.3
    oracle retail store inventory management 15.0.3
    oracle retail store inventory management 16.0.3
    oracle secure global desktop 5.4
    oracle secure global desktop 5.5
    oracle time and labor *
    eclipse mojarra 2.3.9
    oracle weblogic server 12.2.1.3.0
    oracle retail advanced inventory planning 15.0
    oracle retail merchandising system 16.0
    oracle communications unified inventory management 7.3
    oracle retail price management 16.0
    oracle application testing suite 13.2.0.1
    oracle retail financial integration 15.0
    oracle retail financial integration 16.0
    oracle retail service backbone 15.0
    oracle retail service backbone 16.0
    oracle retail integration bus 15.0
    oracle retail integration bus 16.0
    oracle secure global desktop 5.4
    oracle enterprise data quality 12.2.1.3.0
    oracle application testing suite 13.3.0.1
    oracle health sciences information manager 3.0
    oracle retail advanced inventory planning 16.0
    oracle banking enterprise product manufacturing 2.7.0
    oracle banking enterprise product manufacturing 2.8.0
    oracle healthcare data repository 7.0