Description

In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client.

Remediation

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=570289

https://github.com/eclipse/hawkbit/issues/1067

Related Vulnerabilities

CVE-2014-0086 Vulnerability in maven package org.richfaces.core:richfaces-core-impl

CVE-2018-1000600 Vulnerability in maven package com.coravy.hudson.plugins.github:github

CVE-2023-50774 Vulnerability in maven package org.jenkins-ci.plugins:htmlresource

CVE-2023-50777 Vulnerability in maven package com.cloudtp.jenkins:paaslane-estimate

CVE-2023-24998 Vulnerability in maven package org.apache.tomcat:tomcat-util

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory Third Party Advisory