CVE-2016-4464

Source
https://cve.org/CVERecord?id=CVE-2016-4464
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4464.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-4464
Aliases
Downstream
Published
2016-09-21T18:59:04.897Z
Modified
2026-07-08T12:06:01.785658Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.

References

Affected packages

Git / github.com/apache/cxf-fediz

Affected ranges

Type
GIT
Repo
https://github.com/apache/cxf-fediz
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:apache:cxf_fediz:1.2.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:cxf_fediz:1.2.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:cxf_fediz:1.2.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:cxf_fediz:1.3.0:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "1.2.0"
        },
        {
            "last_affected": "1.2.0"
        },
        {
            "introduced": "1.2.1"
        },
        {
            "last_affected": "1.2.1"
        },
        {
            "introduced": "1.2.2"
        },
        {
            "last_affected": "1.2.2"
        },
        {
            "introduced": "1.3.0"
        },
        {
            "last_affected": "1.3.0"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

1.*
1.2.0
1.2.1
1.2.2
1.3.0
fediz-1.*
fediz-1.2.0
fediz-1.3.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4464.json"