cbcvebase.
CVE-2018-1000129
published 2018-03-14

CVE-2018-1000129: An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's…

PriorityP349medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
25.46%
97.7th percentile
An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.

Affected

1 ranges
VendorProductVersion rangeFixed in
jolokiajolokia

Detection & IOCsextracted from sources · hover to see the quote

url/api/jolokia/read?mimeType=text/html
url/jolokia/read?mimeType=text/html
commandmimeType=text/html
  • Send a GET request to /jolokia/read or /api/jolokia/read with the query parameter mimeType=text/html. A vulnerable instance will return HTTP 200 with Content-Type: text/html and a body containing both 'java.lang.IllegalArgumentException' and 'No type with name', indicating the JSON error response is rendered directly in the browser.
  • The attack vector is the mimeType query parameter being set to text/html, which forces the browser to render the Jolokia JSON response as HTML, enabling reflected XSS via injected SVG/script payloads in the URI path.
  • Observed XSS proof-of-concept payloads use SVG onload vectors appended to the Jolokia endpoint path combined with mimeType=text/html, e.g. /<path>%3Csvg%20onload=alert(...)%3E?mimeType=text/html
  • ·Red Hat assessed this as Low severity for several OpenStack Platform versions because, although the affected code is present, data returned by Jolokia is correctly processed by the consuming JavaScript library and invalid data is not used directly by the browser.
  • ·The Nuclei template uses stop-at-first-match across two probe paths (/api/jolokia/read and /jolokia/read), so detection tooling should probe both paths to maximise coverage.

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.