All the vulnerabilites related to Red Hat - JBoss Core Services for RHEL 8
cve-2023-6710
Vulnerability from cvelistv5
Published
2023-12-12 22:01
Modified
2024-11-24 12:38
Summary
Mod_cluster/mod_proxy_cluster: stored cross site scripting
References
https://access.redhat.com/errata/RHSA-2024:1316vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1317vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2387vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-6710vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2254128issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat JBoss Core Services on RHEL 7 Unaffected: 0:1.3.20-3.el7jbcs   < *
    cpe:/a:redhat:jboss_core_services:1::el8
    cpe:/a:redhat:jboss_core_services:1::el7
Red Hat Red Hat Enterprise Linux 9 Unaffected: 0:1.3.20-1.el9_4   < *
    cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat Red Hat JBoss Core Services 1     cpe:/a:redhat:jboss_core_services:1
Red Hat Red Hat JBoss Core Services     cpe:/a:redhat:jboss_core_services:1
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:35:14.928Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2024:1316",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1316"
          },
          {
            "name": "RHSA-2024:1317",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1317"
          },
          {
            "name": "RHSA-2024:2387",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:2387"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-6710"
          },
          {
            "name": "RHBZ#2254128",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254128"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_core_services:1::el8",
            "cpe:/a:redhat:jboss_core_services:1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "jbcs-httpd24-mod_proxy_cluster",
          "product": "JBoss Core Services for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.3.20-3.el8jbcs",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_core_services:1::el8",
            "cpe:/a:redhat:jboss_core_services:1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "jbcs-httpd24-mod_proxy_cluster",
          "product": "JBoss Core Services on RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.3.20-3.el7jbcs",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "mod_proxy_cluster",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.3.20-1.el9_4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_core_services:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "jbcs-httpd24-mod_proxy_cluster",
          "product": "Red Hat JBoss Core Services 1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_core_services:1"
          ],
          "defaultStatus": "affected",
          "packageName": "mod_proxy_cluster",
          "product": "Red Hat JBoss Core Services",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Mohamed Mounir Boudjema (Intervalle-Technologies) for reporting this issue."
        }
      ],
      "datePublic": "2023-12-12T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the \u0027alias\u0027 parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Low"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-24T12:38:26.983Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:1316",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1316"
        },
        {
          "name": "RHSA-2024:1317",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1317"
        },
        {
          "name": "RHSA-2024:2387",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:2387"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-6710"
        },
        {
          "name": "RHBZ#2254128",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254128"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-12-12T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-12-12T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Mod_cluster/mod_proxy_cluster: stored cross site scripting",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-6710",
    "datePublished": "2023-12-12T22:01:34.359Z",
    "dateReserved": "2023-12-12T06:15:58.379Z",
    "dateUpdated": "2024-11-24T12:38:26.983Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}