Bug 570289 (CVE-2020-27219) - Eclipse hawkBit CVE request: Improper escaping of JSON response field
Summary: Eclipse hawkBit CVE request: Improper escaping of JSON response field
Status: RESOLVED FIXED
Alias: CVE-2020-27219
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: PC Mac OS X
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL: https://github.com/eclipse/hawkbit/is...
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-01-12 08:32 EST by Dominic Schabel CLA
Modified: 2021-09-20 16:17 EDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dominic Schabel CLA 2021-01-12 08:32:22 EST 
This is an informational CVE originally filed here: https://github.com/eclipse/hawkbit/issues/1067

=======================================

project: Eclipse hawkBit

version: All versions prior 0.3.0M7

cwe: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

summary: The HTTP 404 (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client.


Calculated score: 5.3 (Medium)
=> https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Comment 1 Wayne Beaton CLA 2021-01-14 17:19:19 EST 
I've assigned CVE-2020-27219

Pull request: https://github.com/CVEProject/cvelist/pull/520
Comment 2 Dominic Schabel CLA 2021-01-15 02:31:48 EST 
Thanks a lot, Wayne!