JVN#94521208: Multiple vulnerabilities in FitNesse

Overview

FitNesse contains multiple vulnerabilities.

Products Affected

CVE-2024-28128

FitNesse releases prior to 20220319

CVE-2024-23604, CVE-2024-28039, CVE-2024-28125

FitNesse all releases

Description

FitNesse contains multiple vulnerabilities listed below.

Multiple cross-site scripting (CWE-79) - CVE-2024-23604, CVE-2024-28128

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1

CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3
Improper restriction of XML external entity references (CWE-611) -CVE-2024-28039

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Base Score: 5.8

CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0
OS command injection (CWE-78) - CVE-2024-28125

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8

CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5

Impact

An arbitrary script may be executed on the web browser of the user who is using the product and accessing a link with specially crafted multiple parameters. - CVE-2024-23604
A FitNesse user may obtain sensitive information, alter data, or cause a denial-of-service (DoS) - CVE-2024-28039
An arbitrary OS command may be executed by a FitNesse user - CVE-2024-28125
An arbitrary script may be executed on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter. - CVE-2024-28128

Solution

CVE-2024-28128
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer fixed the vulnerability in the following version:

FitNesse release 20220319

CVE-2024-23604, CVE-2024-28039, CVE-2024-28125
Apply a Workaround
The developer recommends applying "Using FitNesse Safely" as shown in Security Policy.

For more information, refer to the information provided by the developer.

Vendor Status

Vendor	Link
unclebob	fitnesse
	FitNess Official release
	Security Policy

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2024-23604, CVE-2024-28039, CVE-2024-28125
Kanta Nishitani of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2024-28128
Yutaka WATANABE of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2024-28125
	CVE-2024-28128
	CVE-2024-23604
	CVE-2024-28039
JVN iPedia	JVNDB-2024-000032

Update History

2024/03/18: Information under the section [Credit] was updated.

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:M/Au:N/C:N/I:P/A:N	Base Score: 4.3

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N	Base Score: 5.8
CVSS v2	AV:N/AC:L/Au:N/C:P/I:N/A:N	Base Score: 5.0

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	Base Score: 8.8
CVSS v2	AV:N/AC:L/Au:S/C:P/I:P/A:P	Base Score: 6.5

JVN#94521208 Multiple vulnerabilities in FitNesse