Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc. A CSRF (Cross Style Request Forgery) style vulnerability has been found in this web application in Apache CXF Fediz prior to 1.4.0 and 1.3.2, meaning that a malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active.
{
"source": [
"CPE_RANGE",
"CPE_STRING"
],
"cpe": [
"cpe:2.3:a:apache:cxf_fediz:*:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:cxf_fediz:1.4.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "1.3.2"
},
{
"introduced": "1.4.0"
},
{
"last_affected": "1.4.0"
}
]
}