6 matches found
CVE-2018-8038
CVE-2018-8038 affects Apache CXF Fediz prior to 1.4.4, where Document Type Declarations (DTDs) are not fully disabled when parsing Identity Provider responses (in application plugins) or in the IdP for certain XML parameters. Connected sources reinforce that the underlying issue is DTD handling a...
CVE-2017-12631
CVE-2017-12631 affects Apache CXF Fediz WS-Federation plugins (Spring 2, 3, 4). The root cause is a CSRF vulnerability that can cause a security context to be established using a malicious client’s roles for the end user. Affected components are the Fediz Spring plugins in versions before 1.4.3 a...
CVE-2015-5175
The CVE-2015-5175 issue affects Apache CXF Fediz application plugins. Versions prior to 1.1.3 and 1.2.x prior to 1.2.1 are vulnerable to a remote DoS attack. The vulnerability is triggered by specially crafted requests, allowing remote attackers to cause denial of service. The DoS impact is descr...
CVE-2017-7661
CVE-2017-7661 affects Apache CXF Fediz container-specific WS-Federation plugins (Spring 2, Spring 3, Jetty 8, Jetty 9) in CXF Fediz prior to versions 1.4.0, 1.3.2, and 1.2.4. The issue is described as a CSRF‑style vulnerability. The connected documents confirm the affected plugins and versions bu...
CVE-2017-7662
Apache CXF Fediz’s OpenID Connect Client Registration Service is vulnerable to CSRF in versions prior to 1.4.0 and 1.3.2. A malicious web app could create new clients or reset secrets after an admin logs in and the session remains active. The connected sources corroborate the same description acr...
CVE-2016-4464
CVE-2016-4464 affects Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1. The issue is a mismatch between SAML AudienceRestriction values and configured audience URIs, which may allow a remote attacker to bypass intended restrictions by presenting a crafted SAML token with a trusted signa...