CVE-2020-27219

In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
eclipseCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
eclipsehawkbit
𝑥
≤ 0.2.5
eclipsehawkbit
0.3.0:m1
eclipsehawkbit
0.3.0:m2
eclipsehawkbit
0.3.0:m3
eclipsehawkbit
0.3.0:m4
eclipsehawkbit
0.3.0:m5
eclipsehawkbit
0.3.0:m6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://bugs.eclipse.org/bugs/show_bug.cgi?id=570289
https://github.com/eclipse/hawkbit/issues/1067
https://bugs.eclipse.org/bugs/show_bug.cgi?id=570289
https://github.com/eclipse/hawkbit/issues/1067