CVE-2016-4464

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2016-4464

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4464.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2016-4464

Aliases

GHSA-qpwj-mvv7-v3m9

Downstream

MGASA-2016-0243

Published

2016-09-21T18:59:04.897Z

Modified

2026-04-16T06:25:49.973538813Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.

References

Affected packages

Git / github.com/apache/cxf-fediz

Affected ranges

Type

GIT

Repo

https://github.com/apache/cxf-fediz

Events

Introduced

Last affected

12115db7bebfe66433eb6b5474c0455ab5c1b628

Introduced

Last affected

97ea63580759503576da76b1fb91aa20113664ae

Introduced

Last affected

5a53eb4cc6e60b4423c4af432219fc38f1257f55

Introduced

Last affected

e2b96849ced74ea1519871f6a68a6448e3f1ba98

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.2.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.2.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.2.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.3.0"
        }
    ]
}

Affected versions

fediz-1.*

fediz-1.2.0

fediz-1.2.1

fediz-1.2.2

fediz-1.3.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4464.json"