Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code to the builtin rpcz page.
An attacker that can send http request to bRPC server with rpcz enabled can inject arbitrary XSS code to the builtin rpcz page.
Solution (choose one of three):
1. upgrade to bRPC > 1.6.0, download link: https://dist.apache.org/repos/dist/release/brpc/1.6.1/
2. If you are using an old version of bRPC and hard to upgrade, you can apply this patch: https://github.com/apache/brpc/pull/2411
3. disable rpcz feature
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2023-10-16T08:01:41.036Z
Updated: 2024-09-16T18:27:28.347Z
Reserved: 2023-10-12T09:28:16.458Z
Link: CVE-2023-45757
Vulnrichment
Updated: 2024-08-02T20:29:32.439Z
NVD
Status : Modified
Published: 2023-10-16T09:15:11.563
Modified: 2024-11-21T08:27:19.177
Link: CVE-2023-45757
Redhat
No data.