-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2016-6812: XSS risk in Apache CXF FormattedServiceListWriter when a request URL
contains matrix parameters

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.0.12, 3.1.9.

Description:

Apache CXF HTTP transport module uses FormattedServiceListWriter to provide an HTML page which lists the names
and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current 
HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint 
absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters
will find their way back to the client in the services list page which represents an XSS risk to the client. 


This has been fixed in revisions:

CXF 3.1.x:
http://git-wip-us.apache.org/repos/asf/cxf/commit/32e89366
http://git-wip-us.apache.org/repos/asf/cxf/commit/1f824d80

CXF 3.0.x
http://git-wip-us.apache.org/repos/asf/cxf/commit/1be97cb1
http://git-wip-us.apache.org/repos/asf/cxf/commit/a30397b0

CXF 3.2.0-SNAPSHOT (master):
http://git-wip-us.apache.org/repos/asf/cxf/commit/45b1b5b9
http://git-wip-us.apache.org/repos/asf/cxf/commit/a23c615b


Credit: 
The concern was originally raised by Donald Kwakkel.
Mike Noordermeer demonstrated how a concrete XSS attack could be executed against Apache CXF FormattedServiceListWriter.

Migration:

CXF 3.0.x users should upgrade to 3.0.12 or later as soon as possible.
CXF 3.1.x users should upgrade to 3.1.9 or later as soon as possible.

References: http://cxf.apache.org/security-advisories.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlhYBocACgkQmcduTd7eq5L8ygCgp/wH+W7PCBdZUUYSxblWshwo
ggkAn3uaSS0x2jRxikd8QdDf1Yu50mFY
=E5Eo
-----END PGP SIGNATURE-----