Vulnerability Name:

CVE-2020-13954 (CCN-191650)

Assigned:2020-11-12
Published:2020-11-12
Updated:2022-05-12
Summary:By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2020-13954

Source: MISC
Type: Vendor Advisory
http://cxf.apache.org/security-advisories.data/CVE-2020-13954.txt.asc?version=1&modificationDate=1605183670659&api=v2

Source: MLIST
Type: Mailing List, Third Party Advisory, Vendor Advisory
[oss-security] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

Source: CCN
Type: Apache Web site
Apache CXF

Source: XF
Type: UNKNOWN
apache-cve202013954-xss(191650)

Source: MLIST
Type: Mailing List, Vendor Advisory
[announce] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

Source: MLIST
Type: Mailing List, Vendor Advisory
[cxf-dev] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

Source: MLIST
Type: Mailing List, Vendor Advisory
[cxf-users] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

Source: MLIST
Type: Mailing List, Vendor Advisory
[syncope-dev] 20210526 [GitHub] [syncope] coheigea opened a new pull request #268: Disable CXF Services Listing

Source: MLIST
Type: Mailing List, Vendor Advisory
[cxf-users] 20201125 RE: CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

Source: MLIST
Type: Mailing List, Vendor Advisory
[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html

Source: MLIST
Type: Exploit, Mailing List, Vendor Advisory
[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html

Source: MLIST
Type: Exploit, Mailing List, Vendor Advisory
[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html

Source: CCN
Type: oss-sec Mailing List, Thu, 12 Nov 2020 12:37:40 +0000
CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210513-0010/

Source: CCN
Type: IBM Security Bulletin 6405732 (Global High Availability Mailbox)
Vulnerability in Apache CXF library shipped with IBM Global Mailbox (CVE-2020-13954)

Source: CCN
Type: IBM Security Bulletin 6406958 (Tivoli Application Dependency Discovery Manager)
Apache CXF vulnerability identified in IBM Tivoli Application Dependency Discovery Manager (CVE-2020-13954)

Source: CCN
Type: IBM Security Bulletin 6435559 (Tivoli Network Manager IP Edition)
A security vulnerability has been identified in Apache CXF, which is a required product for IBM Tivoli Network Manager IP Edition (CVE-2020-13954)

Source: CCN
Type: IBM Security Bulletin 6474843 (QRadar SIEM)
IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6520472 (QRadar SIEM)
IBM QRadar SIEM is vulnerable to using components with know vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

Source: CCN
Type: IBM Security Bulletin 6826623 (Tivoli Business Service Manager)
A vulnerability in Apache CXF affects IBM Tivoli Business Service Manager (CVE-2020-13954)

Source: CCN
Type: IBM Security Bulletin 6831647 (Security Guardium)
IBM Security Guardium is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6854685 (InfoSphere Master Data Management)
Security vulnerability in Apache CXF affects IBM InfoSphere Master Data Management

Source: CCN
Type: IBM Security Bulletin 6854713 (Voice Gateway)
Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway

Source: CCN
Type: Oracle Critical Patch Update Advisory - April 2021
Oracle Critical Patch Update Advisory - April 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: MISC
Type: Not Applicable, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJan2021
Oracle Critical Patch Update Advisory - January 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:cxf:*:*:*:*:*:*:*:* (Version >= 3.4.0 and < 3.4.1)
  • OR cpe:/a:apache:cxf:*:*:*:*:*:*:*:* (Version < 3.3.8)

    • Configuration 2:
  • cpe:/a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:* (Version >= 9.6

    • Configuration 3:
  • cpe:/a:oracle:retail_order_broker_cloud_service:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
  • OR cpe:/o:oracle:communications_messaging_server:8.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:cxf:3.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:cxf:3.4.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:tivoli_network_manager:3.9:*:ip:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_network_manager:4.1:*:ip:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_network_manager:4.2:*:ip:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management:11.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker_cloud_service:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:10.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:10.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_business_service_manager:6.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.0:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:p8:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.4:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    apache cxf *
    apache cxf *
    netapp snap creator framework -
    netapp vasa provider for clustered data ontap *
    oracle retail order broker cloud service 15.0
    oracle business intelligence 12.2.1.3.0
    oracle business intelligence 12.2.1.4.0
    oracle business intelligence 5.5.0.0.0
    oracle communications messaging server 8.1
    oracle communications messaging server 8.0.2
    oracle business intelligence 5.9.0.0.0
    apache cxf 3.3.7
    apache cxf 3.4.0
    ibm tivoli network manager 3.9
    ibm tivoli network manager 4.1
    ibm tivoli network manager 4.2
    ibm infosphere master data management 11.6
    oracle retail order broker cloud service 15.0
    ibm qradar security information and event manager 7.3
    ibm security guardium 10.5
    ibm qradar security information and event manager 7.3.0
    ibm security guardium 10.6
    ibm tivoli business service manager 6.2.0
    ibm voice gateway 1.0.2
    ibm voice gateway 1.0.3
    ibm tivoli application dependency discovery manager 7.3.0.7
    ibm voice gateway 1.0.2.4
    ibm voice gateway 1.0.4
    ibm security guardium 11.0
    ibm security guardium 11.1
    ibm qradar security information and event manager 7.4 -
    ibm voice gateway 1.0.5
    ibm qradar security information and event manager 7.4.0
    ibm security guardium 11.2
    ibm voice gateway 1.0.7
    ibm security guardium 11.3
    ibm qradar security information and event manager 7.4.3 -
    ibm qradar security information and event manager 7.3.3 p8
    ibm security guardium 11.4