3 matches found
org.apache.cxf.fediz:apache-fediz (>=1.3.0 <=1.4.3) potentially affected by CVE-2018-8038 via org.apache.cxf.fediz:fediz-jetty9 (>=1.3.0 <=1.4.3)
org.apache.cxf.fediz:fediz-jetty9 MAVEN version =1.3.0, =1.3.0, =1.4.3 Source cves: CVE-2018-8038 Source advisory: OSV:GHSA-W3GH-G32M-CVHR...
org.apache.cxf.fediz.examples:jaxrsSpringSecurityWebapp (>=1.3.0 <=1.4.3), org.apache.cxf.fediz.examples:springPreauthWebapp (>=1.1.0 <=1.4.3) +6 more potentially affected by CVE-2018-8038 via org.apache.cxf.fediz:fediz-spring (>=1.1.0 <=1.4.3)
org.apache.cxf.fediz:fediz-spring MAVEN version =1.1.0, =1.3.0, =1.1.0, =1.1.0, =1.2.0, =1.2.0, =1.1.0, =1.1.0, =1.1.0, =1.4.3 Source cves: CVE-2018-8038 Source advisory: OSV:GHSA-W3GH-G32M-CVHR...
CVE-2018-8038
CVE-2018-8038 affects Apache CXF Fediz prior to 1.4.4, where Document Type Declarations (DTDs) are not fully disabled when parsing Identity Provider responses (in application plugins) or in the IdP for certain XML parameters. Connected sources reinforce that the underlying issue is DTD handling a...