Apache bRPC 1.6.0 XSS via rpcz page
CVE-2023-45757 Published on October 16, 2023
Apache bRPC: The builtin service rpcz page has an XSS attack vulnerability
Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code to the builtin rpcz page.
An attacker that can send http request to bRPC server with rpcz enabled can inject arbitrary XSS code to the builtin rpcz page.
Solution (choose one of three):
1. upgrade to bRPC > 1.6.0, download link: https://dist.apache.org/repos/dist/release/brpc/1.6.1/
2. If you are using an old version of bRPC and hard to upgrade, you can apply this patch: https://github.com/apache/brpc/pull/2411
3. disable rpcz feature
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2023-45757 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2023-45757
Want to know whenever a new CVE is published for Apache Brpc? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache bRPC:- Version 0.9.0, <= 1.6.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.