GHSA-3336-h95j-hvvf

Suggest an improvement
Source
https://github.com/advisories/GHSA-3336-h95j-hvvf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3336-h95j-hvvf/GHSA-3336-h95j-hvvf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3336-h95j-hvvf
Aliases
  • CVE-2015-5253
Published
2022-05-13T01:09:20Z
Modified
2024-11-28T05:26:21.233969Z
Summary
Improper Access Control in Apache CXF
Details

The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."

Database specific 
{
    "nvd_published_at": "2015-11-18T16:59:00Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T20:13:40Z"
}
References

Affected packages

Maven / org.apache.cxf:cxf-rt-rs-security-sso-saml

Package

Name
org.apache.cxf:cxf-rt-rs-security-sso-saml
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cxf/cxf-rt-rs-security-sso-saml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.18

Affected versions

2.*

2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.6.15
2.6.16
2.6.17
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.7.13
2.7.14
2.7.15
2.7.16
2.7.17

Database specific 

{
    "last_known_affected_version_range": "<= 2.7.17"
}

Maven / org.apache.cxf:cxf-rt-rs-security-sso-saml

Package

Name
org.apache.cxf:cxf-rt-rs-security-sso-saml
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cxf/cxf-rt-rs-security-sso-saml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.7

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6

Database specific 

{
    "last_known_affected_version_range": "<= 3.0.6"
}

Maven / org.apache.cxf:cxf-rt-rs-security-sso-saml

Package

Name
org.apache.cxf:cxf-rt-rs-security-sso-saml
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cxf/cxf-rt-rs-security-sso-saml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.3

Affected versions

3.*

3.1.0
3.1.1
3.1.2

Database specific 

{
    "last_known_affected_version_range": "<= 3.1.2"
}