Lucene search

Veracode Vulnerability DatabaseVERACODE:10967

HistoryJan 15, 2019 - 8:54 a.m.

Authentication Bypass In The SecurityTokenService

2019-01-1508:54:53

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

JSON

The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token.

CPENameOperatorVersion
resteasyeq2.3.7__2.Final_redhat_2.ep6.el5
resteasyeq2.3.3__4.Final_redhat_1.ep6.el5
resteasyeq1.2.1__18.CP02_patch02.1.ep5.el5
resteasyeq1.2.1__10.CP02_patch01.1.ep5.el5
resteasyeq1.2.1__10.CP02_patch01.1.ep5.el6
resteasyeq2.3.7__2.Final_redhat_2.ep6.el6
resteasyeq2.3.4__4.Final_redhat_2.ep6.el5.3
resteasyeq2.3.4__4.Final_redhat_2.ep6.el6.3
resteasyeq1.2.1__9.CP02.4.ep5.el5
resteasyeq2.3.6__1.Final_redhat_1.ep6.el6

Name	Operator	Version
resteasy	eq	2.3.7__2.Final_redhat_2.ep6.el5
resteasy	eq	2.3.3__4.Final_redhat_1.ep6.el5
resteasy	eq	1.2.1__18.CP02_patch02.1.ep5.el5
resteasy	eq	1.2.1__10.CP02_patch01.1.ep5.el5
resteasy	eq	1.2.1__10.CP02_patch01.1.ep5.el6
resteasy	eq	2.3.7__2.Final_redhat_2.ep6.el6
resteasy	eq	2.3.4__4.Final_redhat_2.ep6.el5.3
resteasy	eq	2.3.4__4.Final_redhat_2.ep6.el6.3
resteasy	eq	1.2.1__9.CP02.4.ep5.el5
resteasy	eq	2.3.6__1.Final_redhat_1.ep6.el6

Rows per page:

1-10 of 11311

References

cxf.apache.org/security-advisories.data/CVE-2014-0034.txt.asc

rhn.redhat.com/errata/RHSA-2014-0797.html

rhn.redhat.com/errata/RHSA-2014-0798.html

rhn.redhat.com/errata/RHSA-2014-0799.html

rhn.redhat.com/errata/RHSA-2014-1351.html

rhn.redhat.com/errata/RHSA-2015-0850.html

rhn.redhat.com/errata/RHSA-2015-0851.html

svn.apache.org/viewvc?view=revision&revision=1551228

www.securityfocus.com/bid/68441

access.redhat.com/security/updates/classification/#moderate

access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/6.2.4_Release_Notes/index.html

bugzilla.redhat.com/show_bug.cgi?id=1090473

bugzilla.redhat.com/show_bug.cgi?id=1103767

bugzilla.redhat.com/show_bug.cgi?id=1103873

bugzilla.redhat.com/show_bug.cgi?id=1104167

bugzilla.redhat.com/show_bug.cgi?id=1105592

bugzilla.redhat.com/show_bug.cgi?id=1105658

bugzilla.redhat.com/show_bug.cgi?id=1106546

bugzilla.redhat.com/show_bug.cgi?id=1106580

bugzilla.redhat.com/show_bug.cgi?id=1106583

bugzilla.redhat.com/show_bug.cgi?id=1106586

bugzilla.redhat.com/show_bug.cgi?id=1106590

bugzilla.redhat.com/show_bug.cgi?id=1109954

lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E

rhn.redhat.com/errata/RHSA-2014-0798.html

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

JSON

Related for VERACODE:10967