CVE-2017-3165 in Brooklyn
Summary
by MITRE
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/15/2019
Apache Brooklyn version 0.10.0 and earlier contains a critical cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into the web interface of other authenticated users. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the REST server component of the application. The flaw exists in the server-side rendering logic where user-provided data is not properly escaped before being rendered in the browser context, creating an avenue for persistent script injection attacks.
The technical implementation of this vulnerability allows an attacker with valid credentials to manipulate the application's REST endpoints in such a way that malicious JavaScript code gets stored and subsequently executed in the browser of other authenticated users. This creates a privilege escalation scenario where a lower-privileged user can compromise the session of another user with access to shared resources. The vulnerability specifically affects the server-side content rendering process where dynamic data from authenticated users is directly embedded into web pages without proper HTML escaping or context-appropriate sanitization. This type of flaw falls under the CWE-79 category of Cross-Site Scripting, which is classified as a critical security weakness in web applications. The vulnerability is particularly dangerous because it leverages the trust relationship between authenticated users and the application, making it difficult to detect and prevent.
The operational impact of this vulnerability is significant for organizations using Apache Brooklyn as their application management platform. An attacker could potentially steal session cookies, perform unauthorized actions on behalf of other users, or gain access to sensitive resource information. The proof-of-concept exploit demonstrates that this vulnerability can be reliably triggered through normal user interactions with the REST API, making it particularly dangerous in environments where multiple users share administrative access to the same Brooklyn instances. This vulnerability essentially undermines the authentication and authorization mechanisms of the platform, as it allows attackers to bypass normal access controls through client-side script execution. The attack vector is particularly concerning because it requires no special privileges beyond legitimate user access, making it a persistent threat that could remain undetected for extended periods.
Organizations should immediately upgrade to Apache Brooklyn version 0.10.0 or later where this vulnerability has been addressed through proper input sanitization and output escaping mechanisms. The fix implemented in the newer version ensures that all user-provided content is properly escaped before being rendered in the browser context, following standard security practices for preventing XSS attacks. Security teams should also implement additional monitoring for suspicious API usage patterns and consider implementing Content Security Policy headers as a defensive measure. This vulnerability aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter: JavaScript, and represents a classic example of how server-side rendering flaws can create persistent client-side attack vectors. Organizations should also review their access control policies and implement least-privilege principles to minimize the impact if such vulnerabilities are exploited in environments where users have broad administrative capabilities.