Apache bRPC: The builtin service rpcz page has an XSS attack vulnerability
CVE-2023-45757

6.1MEDIUM

Key Information:

Vendor: Apache
Status: Apache Brpc
Vendor: CVE Published:; 16 October 2023

Summary

Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code to the builtin rpcz page. An attacker that can send http request to bRPC server with rpcz enabled can inject arbitrary XSS code to the builtin rpcz page.

Solution (choose one of three):

upgrade to bRPC > 1.6.0, download link: https://dist.apache.org/repos/dist/release/brpc/1.6.1/
If you are using an old version of bRPC and hard to upgrade, you can apply this patch: https://github.com/apache/brpc/pull/2411
disable rpcz feature

Affected Version(s)

Apache bRPC 0.9.0 <= 1.6.0

References

https://lists.apache.org/thread/6syxv32fqgl30brfpttrk4rfs...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/10/16/8

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 16, 2023
Vulnerability Reserved
Oct 12, 2023