Description

In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client.

Remediation

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=570289

https://github.com/eclipse/hawkbit/issues/1067

Related Vulnerabilities

CVE-2022-39202 Vulnerability in npm package matrix-appservice-irc

CVE-2019-1003087 Vulnerability in maven package org.jenkins-ci.plugins:labmanager

CVE-2023-40177 Vulnerability in maven package org.xwiki.platform:xwiki-platform-appwithinminutes-ui

CVE-2022-38900 Vulnerability in maven package org.webjars.bowergithub.samverschueren:decode-uri-component

CVE-2021-21346 Vulnerability in maven package com.thoughtworks.xstream:xstream

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory Third Party Advisory