GHSA-FV7X-4HPC-HF9F Moderate severity vulnerability that affects org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf.fediz:fediz-spring3

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF Cross Style Request Forgery style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins in versions before 1.4.3 and 1.3.3. The vulnerability can result in a...

org.apache.cxf.fediz.examples:jaxrsSpringSecurityWebapp (>=1.3.0 <=1.3.2), org.apache.cxf.fediz.examples:springPreauthWebapp (>=1.1.0 <=1.3.2) +6 more potentially affected by CVE-2017-12631 via org.apache.cxf.fediz:fediz-spring (>=1.1.0 <=1.3.2)

org.apache.cxf.fediz:fediz-spring MAVEN version =1.1.0, =1.3.0, =1.1.0, =1.1.0, =1.2.0, =1.2.0, =1.1.0, =1.1.0, =1.1.0, =1.3.2 Source cves: CVE-2017-12631 Source advisory: OSV:GHSA-FV7X-4HPC-HF9F...

org.apache.cxf.fediz.examples:jaxrsSpringSecurityWebapp (>=1.4.0 <=1.4.2), org.apache.cxf.fediz.examples:springPreauthWebapp (>=1.4.0 <=1.4.2) +4 more potentially affected by CVE-2017-12631 via org.apache.cxf.fediz:fediz-spring (>=1.4.0 <=1.4.2)

org.apache.cxf.fediz:fediz-spring MAVEN version =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.2 Source cves: CVE-2017-12631 Source advisory: OSV:GHSA-FV7X-4HPC-HF9F...

org.apache.cxf.fediz.examples:spring2Webapp (>=1.1.0 <=1.3.2), org.apache.cxf.fediz.systests.webapps:fediz-systests-webapps-spring2 (>=1.2.0 <=1.3.2) +2 more potentially affected by CVE-2017-12631 via org.apache.cxf.fediz:fediz-spring2 (>=1.1.0 <=1.3.2)

org.apache.cxf.fediz:fediz-spring2 MAVEN version =1.1.0, =1.1.0, =1.2.0, =1.1.0, =1.1.0, =1.3.2 Source cves: CVE-2017-12631 Source advisory: OSV:GHSA-FV7X-4HPC-HF9F...

org.apache.cxf.fediz.examples:jaxrsSpringSecurityWebapp (=1.3.0), org.apache.cxf.fediz.examples:springPreauthWebapp (=1.3.0) +4 more potentially affected by CVE-2016-4464 via org.apache.cxf.fediz:fediz-spring (=1.3.0)

org.apache.cxf.fediz:fediz-spring MAVEN version =1.3.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.cxf.fediz:fediz-spring and may be impacted: - org.apache.cxf.fediz.examples:jaxrsSpringSecurityWebapp =1.3.0 -...

GHSA-QPWJ-MVV7-V3M9 High severity vulnerability that affects org.apache.cxf.fediz:fediz-spring and org.apache.cxf.fediz:fediz-spring2

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token...

org.apache.cxf.fediz.examples:springPreauthWebapp (>=1.2.0 <=1.2.2), org.apache.cxf.fediz.examples:springWebapp (>=1.2.0 <=1.2.2) +3 more potentially affected by CVE-2016-4464 via org.apache.cxf.fediz:fediz-spring (>=1.2.0 <=1.2.2)

org.apache.cxf.fediz:fediz-spring MAVEN version =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.2 Source cves: CVE-2016-4464 Source advisory: OSV:GHSA-QPWJ-MVV7-V3M9...

org.apache.cxf.fediz.examples:spring2Webapp (=1.3.0), org.apache.cxf.fediz.systests.webapps:fediz-systests-webapps-spring2 (=1.3.0) +1 more potentially affected by CVE-2016-4464 via org.apache.cxf.fediz:fediz-spring2 (=1.3.0)

org.apache.cxf.fediz:fediz-spring2 MAVEN version =1.3.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.cxf.fediz:fediz-spring2 and may be impacted: - org.apache.cxf.fediz.examples:spring2Webapp =1.3.0 -...

org.apache.cxf.fediz.examples:jaxrsSpringSecurityWebapp (>=1.3.0 <=1.4.3), org.apache.cxf.fediz.examples:springPreauthWebapp (>=1.1.0 <=1.4.3) +6 more potentially affected by CVE-2018-8038 via org.apache.cxf.fediz:fediz-spring (>=1.1.0 <=1.4.3)

org.apache.cxf.fediz:fediz-spring MAVEN version =1.1.0, =1.3.0, =1.1.0, =1.1.0, =1.2.0, =1.2.0, =1.1.0, =1.1.0, =1.1.0, =1.4.3 Source cves: CVE-2018-8038 Source advisory: OSV:GHSA-W3GH-G32M-CVHR...

GHSA-W3GH-G32M-CVHR High severity vulnerability that affects org.apache.cxf.fediz:fediz-jetty8, org.apache.cxf.fediz:fediz-jetty9, org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf.fediz:fediz-spring3

Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations DTDs when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters...

org.apache.cxf.fediz.examples:spring2Webapp (>=1.1.0 <=1.2.3), org.apache.cxf.fediz.systests.webapps:fediz-systests-webapps-spring2 (>=1.2.0 <=1.2.3) +2 more potentially affected by CVE-2017-7661 via org.apache.cxf.fediz:fediz-spring2 (>=1.1.0 <=1.2.3)

org.apache.cxf.fediz:fediz-spring2 MAVEN version =1.1.0, =1.1.0, =1.2.0, =1.1.0, =1.1.0, =1.2.3 Source cves: CVE-2017-7661 Source advisory: OSV:GHSA-WHW7-H25V-9QVX...