PT-2023-29673 · Apache · Apache Brpc
Wang Weibing
·
Published
2023-10-16
·
Updated
2023-10-19
·
CVE-2023-45757
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Apache bRPC versions <=1.6.0
Description
A security issue allows attackers to inject arbitrary XSS code into the builtin rpcz page of Apache bRPC. This can be exploited by an attacker who can send HTTP requests to a bRPC server with rpcz enabled.
Recommendations
For Apache bRPC versions <=1.6.0, consider one of the following solutions:
- Upgrade to bRPC > 1.6.0.
- Apply the patch available at https://github.com/apache/brpc/pull/2411 if upgrading is not feasible.
- Disable the rpcz feature as a temporary workaround.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Brpc