Lucene search

[email protected]CVE-2017-7662

HistoryMay 16, 2017 - 5:29 p.m.

CVE-2017-7662

2017-05-1617:29:00

CWE-352

[email protected]

web.nvd.nist.gov

cve-2017-7662

apache cxf fediz

oidc

csrf

vulnerability

security

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

50.4%

JSON

Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc. A CSRF (Cross Style Request Forgery) style vulnerability has been found in this web application in Apache CXF Fediz prior to 1.4.0 and 1.3.2, meaning that a malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active.

Affected configurations

Vulners

NVD

Node

apachecxf_fedizRange≤1.4.0

apachecxf_fedizRange≤1.3.2

apachecxf_fedizRange≤1.2.4.

CPENameOperatorVersion
apache:cxf_fedizapache cxf fedizle1.3.2
apache:cxf_fedizapache cxf fedizeq1.4.0

CPE	Name	Operator	Version
apache:cxf_fediz	apache cxf fediz	le	1.3.2
apache:cxf_fediz	apache cxf fediz	eq	1.4.0

CNA Affected

[
  {
    "product": "Apache CXF Fediz",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "prior to 1.4.0, 1.3.2 and 1.2.4."
      }
    ]
  }
]

References

cxf.apache.org/security-advisories.data/CVE-2017-7662.txt.asc

www.securitytracker.com/id/1038498

lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

50.4%

JSON

Related for CVE-2017-7662

prion1 nvd1 cvelist1 veracode1 osv2 github1