Operating System:

[WIN][UNIX/Linux]

Published:

23 September 2019

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2019.3565 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3565
      Apache JSPWiki fixes five vulnerabilities in version 2.11.0.M5
                             23 September 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache JSPWiki
Publisher:         Apache
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Scripting     -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-12407 CVE-2019-12404 CVE-2019-10090
                   CVE-2019-10089 CVE-2019-10087 

Original Bulletin: 
   https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.11
   https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10087
   https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10089
   https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10090
   https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12404
   https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12407

Comment: This bulletin contains six (6) Apache security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

New in JSPWiki 2.11.0.M5 - Released on 18/09/2019#

Apache JSPWiki 2.11.0.M5 is the fifth release towards 2.11.0.

This release features, among other things:

  * Keyword support for JSPWiki pages - JIRA:427[out]
      + Use [{SET keywords=a,b,c}] to add keywords to a page. They will be
        shown in the info drop-down menu, and will be added as META tags to
        your page.
  * Show only part of Weblog entry on the overview page - contributed by Ulf
    Dittmer - JIRA:1114[out]
  * Security fixes - CVE-2019-10087, CVE-2019-10089, CVE-2019-10090,
    CVE-2019-12404 and CVE-2019-12407
  * Friendlier wiki page Lucene indexing when using custom analyzers - JIRA:893
    [out]
  * Upgraded bundled dependencies - JIRA:1115[out]
      + commons-lang to 3.9
          o dev-only breaking change: if you were using commons-lang
            transitively on your extension, you must declare it explicitly or
            migrate it to commons-lang 3
      + commons-text to 1.8
      + flexmark to 0.50.40
      + hsqldb to 2.5.0
      + jaxen to 1.2.0
      + jdom2 to 2.0.6
      + junit to 5.5.2
      + lucene to 8.2.0
      + selenide to 5.3.1
      + slf4j to 1.7.28
      + tika to 1.22
      + tomcat to 8.5.45
  * Devs only
      + dev-only breaking change: Removed @Deprecated code
      + Switch Sonar instance to sonarcloud.io[out] - INFRA-18845[out]

- --------------------------------------------------------------------------------

[CVE-2019-10087] Apache JSPWiki Cross-site scripting vulnerability in Page
Revision History#

Severity
Medium

Vendor
The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.0.M4

Description
A carefully crafted plugin link invocation could trigger an XSS vulnerability
on Apache JSPWiki, related to the Page Revision History, which could allow the
attacker to execute javascript in the victim's browser and get some sensitive
information about the victim.

Mitigation
Apache JSPWiki users should upgrade to 2.11.0.M5 or later.

Credit
This issue was discovered by Jegatheesh A, from ZOHO-CRM Security team.

- -------------------------------------------------------------------------------

[CVE-2019-10089] Apache JSPWiki Cross-site scripting vulnerability on WYSIWYG
editor#

Severity
Medium

Vendor
The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.0.M4

Description
A carefully crafted plugin link invocation could trigger an XSS vulnerability
on Apache JSPWiki, related to the WYSIWYG editor, which could allow the
attacker to execute javascript in the victim's browser and get some sensitive
information about the victim.

Mitigation
Apache JSPWiki users should upgrade to 2.11.0.M5 or later.

Credit
This issue was discovered by Jegatheesh A, from ZOHO-CRM Security team.

- -------------------------------------------------------------------------------

[CVE-2019-10090] Apache JSPWiki Cross-site scripting vulnerability on plain
editor#

Severity
Medium

Vendor
The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.0.M4

Description
A carefully crafted plugin link invocation could trigger an XSS vulnerability
on Apache JSPWiki, related to the plain editor, which could allow the attacker
to execute javascript in the victim's browser and get some sensitive
information about the victim.

Mitigation
Apache JSPWiki users should upgrade to 2.11.0.M5 or later.

Credit
This issue was discovered by Dirk Frederickx, from Apache JSPWiki.

- -------------------------------------------------------------------------------

[CVE-2019-12404] Apache JSPWiki Cross-site scripting vulnerability on
InfoContent.jsp#

Severity
Medium

Vendor
The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.0.M4

Description
A carefully crafted plugin link invocation could trigger an XSS vulnerability
on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker
to execute javascript in the victim's browser and get some sensitive
information about the victim.

Mitigation
Apache JSPWiki users should upgrade to 2.11.0.M5 or later.

Credit
This issue was discovered by ADLab of VenusTech.

- -------------------------------------------------------------------------------

[CVE-2019-12407] Apache JSPWiki Cross-site scripting vulnerability related to
the remember parameter#

Severity
Medium

Vendor
The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.0.M4

Description
A carefully crafted plugin link invocation could trigger an XSS vulnerability
on Apache JSPWiki, related to the remember parameter on some of the JSPs, which
could allow the attacker to execute javascript in the victim's browser and get
some sensitive information about the victim.

Mitigation
Apache JSPWiki users should upgrade to 2.11.0.M5 or later.

Credit
This issue was discovered by ADLab of VenusTech.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXYgcomaOgq3Tt24GAQhamg/+JIIWUF6QU8iSMQIAqGe3pGb2v5UPr88+
ThcUVdGb8MtN2HGmIxZSjUoyGYtpGArCU8/9z02kvEhqDRdD3hdrLzMe96Pp9xWt
6E+E3uMB1BdtAIiwkL3rKl/APnHCIjeNde/ktBBh3akMwOFCSd7uoO4azLGWmO61
UMK9Cdgj/w3eyZu6nWuf70W684R5wNJo0GQu+Mtv+aV4FAjpE5Vk76W9AUjfJtQa
SNfJFRdB/lGGRqy8op3q6kozP8C7U8lWrjUColLMHi/+qfYsCTmuYWYtF8vbVgpm
8wqW4+WP5415+dqDAW4jeZWiR3tlrx1gTuxKhu7HuMeCJdpGaZwzDJlU3G4rrroQ
S5EAvdY2oPImCjOlLSy2TUv0Ai8fCbeIoe4aOSC8t/SCP3A95OzlFyVUm5Ttqmjy
zIIfe94wwVXW/dbniNxyDtmloNPIuJLAQuJZDwYzlpKFw/541k98+/7egdoo7eP+
Ej3kQkIjfesUQRb9cwhgD3vLVLwpKq7cEMSNGG3N2AM+AmxYGq7iwiFoS9XA4jFk
iXiK3tn9w7ZHTu40v2M0gK6wxNJ3qW4xRVAosRWgjA6abMnV/VNwVmP0OAt4D8Ov
/v55o7EV1Fp0w+8yBM05FqU4QiD2ROK0PWH3IhaN2ErH/KbD0Vyqhfbff2gTznqE
gnP1rMARazM=
=TyMT
-----END PGP SIGNATURE-----