CVE-2023-45757
MEDIUMApache bRPC <= 1.6.0 - Cross-Site Scripting in rpcz Page
Title source: llmDescription
Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code to the builtin rpcz page. An attacker that can send http request to bRPC server with rpcz enabled can inject arbitrary XSS code to the builtin rpcz page. Solution (choose one of three): 1. upgrade to bRPC > 1.6.0, download link: https://dist.apache.org/repos/dist/release/brpc/1.6.1/ 2. If you are using an old version of bRPC and hard to upgrade, you can apply this patch: https://github.com/apache/brpc/pull/2411 3. disable rpcz feature
References (2)
Core 2
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/16/8
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/6syxv32fqgl30brfpttrk4rfsb983hl4
Scores
CVSS v3
6.1
EPSS
0.0382
EPSS Percentile
88.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
apache/brpc
< 1.6.1
Published
Oct 16, 2023
Tracked Since
Feb 18, 2026