Vulnerability-Lookup

CNVD-2015-03619

Vulnerability from cnvd - Published: 2015-06-05

Title

Apache Sling API和Sling Servlets跨站脚本漏洞

Description

Apache Sling API是美国阿帕奇（Apache）软件基金会的一套用于构建Web应用程序的框架。Apache Sling Servlets Post是其中的一个容器。 Apache Sling API和Sling Servlets存在跨站脚本漏洞。允许远程攻击者利用该漏洞通过URI注入任意Web脚本或HTML。

Severity

中

Patch Name

Apache Sling API和Sling Servlets跨站脚本漏洞的补丁

Patch Description

Formal description

用户可参考如下供应商提供的安全公告获得补丁信息： https://issues.apache.org/jira/browse/SLING-2082

Reference

http://www.securityfocus.com/bid/74839 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2944

Impacted products

Name
['Apache Sling API < 2.2.2', 'Apache Sling Servlets < 2.1.2']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "74839"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-2944"
    }
  },
  "description": "Apache Sling API\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u7528\u4e8e\u6784\u5efaWeb\u5e94\u7528\u7a0b\u5e8f\u7684\u6846\u67b6\u3002Apache Sling Servlets Post\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5bb9\u5668\u3002\r\n\r\nApache Sling API\u548cSling Servlets\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7URI\u6ce8\u5165\u4efb\u610fWeb\u811a\u672c\u6216HTML\u3002",
  "discovererName": "MORI Shingo and Toshiharu Sugiyama of DeNA Co., Ltd",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://issues.apache.org/jira/browse/SLING-2082",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-03619",
  "openTime": "2015-06-05",
  "patchDescription": "Apache Sling API\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u7528\u4e8e\u6784\u5efaWeb\u5e94\u7528\u7a0b\u5e8f\u7684\u6846\u67b6\u3002Apache Sling Servlets Post\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5bb9\u5668\u3002\r\n\r\nApache Sling API\u548cSling Servlets\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7URI\u6ce8\u5165\u4efb\u610fWeb\u811a\u672c\u6216HTML\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Sling API\u548cSling Servlets\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Sling API \u003c 2.2.2",
      "Apache Sling Servlets \u003c 2.1.2"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/74839\r\nhttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2944",
  "serverity": "\u4e2d",
  "submitTime": "2015-06-04",
  "title": "Apache Sling API\u548cSling Servlets\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2015-2944 (GCVE-0-2015-2944)

Vulnerability from cvelistv5 – Published: 2015-06-02 14:00 – Updated: 2024-08-06 05:32

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.

Severity ?

No CVSS data available.

CWE

Assigner

jpcert

References

URL

Tags

	http://jvn.jp/en/jp/JVN61328139/index.html	third-party-advisoryx_refsource_JVN
	http://www.securityfocus.com/bid/74839	vdb-entryx_refsource_BID
	https://issues.apache.org/jira/browse/SLING-2082	x_refsource_CONFIRM
	http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069	third-party-advisoryx_refsource_JVNDB
	https://lists.apache.org/thread.html/rd2a35285863…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r93d68359eb0…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r4f41dd891a5…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r04237d561f3…	mailing-listx_refsource_MLIST

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T05:32:20.622Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "JVN#61328139",
            "tags": [
              "third-party-advisory",
              "x_refsource_JVN",
              "x_transferred"
            ],
            "url": "http://jvn.jp/en/jp/JVN61328139/index.html"
          },
          {
            "name": "74839",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/74839"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://issues.apache.org/jira/browse/SLING-2082"
          },
          {
            "name": "JVNDB-2015-000069",
            "tags": [
              "third-party-advisory",
              "x_refsource_JVNDB",
              "x_transferred"
            ],
            "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069"
          },
          {
            "name": "[sling-dev] 20210409 [jira] [Created] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E"
          },
          {
            "name": "[sling-dev] 20210409 [jira] [Commented] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E"
          },
          {
            "name": "[sling-dev] 20210409 [jira] [Comment Edited] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E"
          },
          {
            "name": "[sling-dev] 20210409 [jira] [Resolved] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-05-18T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-09T14:06:14",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "name": "JVN#61328139",
          "tags": [
            "third-party-advisory",
            "x_refsource_JVN"
          ],
          "url": "http://jvn.jp/en/jp/JVN61328139/index.html"
        },
        {
          "name": "74839",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/74839"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://issues.apache.org/jira/browse/SLING-2082"
        },
        {
          "name": "JVNDB-2015-000069",
          "tags": [
            "third-party-advisory",
            "x_refsource_JVNDB"
          ],
          "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069"
        },
        {
          "name": "[sling-dev] 20210409 [jira] [Created] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E"
        },
        {
          "name": "[sling-dev] 20210409 [jira] [Commented] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E"
        },
        {
          "name": "[sling-dev] 20210409 [jira] [Comment Edited] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E"
        },
        {
          "name": "[sling-dev] 20210409 [jira] [Resolved] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2015-2944",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "JVN#61328139",
              "refsource": "JVN",
              "url": "http://jvn.jp/en/jp/JVN61328139/index.html"
            },
            {
              "name": "74839",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/74839"
            },
            {
              "name": "https://issues.apache.org/jira/browse/SLING-2082",
              "refsource": "CONFIRM",
              "url": "https://issues.apache.org/jira/browse/SLING-2082"
            },
            {
              "name": "JVNDB-2015-000069",
              "refsource": "JVNDB",
              "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069"
            },
            {
              "name": "[sling-dev] 20210409 [jira] [Created] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16@%3Cdev.sling.apache.org%3E"
            },
            {
              "name": "[sling-dev] 20210409 [jira] [Commented] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea@%3Cdev.sling.apache.org%3E"
            },
            {
              "name": "[sling-dev] 20210409 [jira] [Comment Edited] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70@%3Cdev.sling.apache.org%3E"
            },
            {
              "name": "[sling-dev] 20210409 [jira] [Resolved] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31@%3Cdev.sling.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2015-2944",
    "datePublished": "2015-06-02T14:00:00",
    "dateReserved": "2015-04-07T00:00:00",
    "dateUpdated": "2024-08-06T05:32:20.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2015-03619

CVE-2015-2944 (GCVE-0-2015-2944)

Tags

Sightings

Nomenclature