GHSA-3336-h95j-hvvf

Source

https://github.com/advisories/GHSA-3336-h95j-hvvf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3336-h95j-hvvf/GHSA-3336-h95j-hvvf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3336-h95j-hvvf

Aliases

CVE-2015-5253

Published

2022-05-13T01:09:20Z

Modified

2024-11-28T05:26:21.233969Z

Summary

Improper Access Control in Apache CXF

Details

The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2015-11-18T16:59:00Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "github_reviewed_at": "2022-07-06T20:13:40Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven

org.apache.cxf:cxf-rt-rs-security-sso-saml

Package

Name: org.apache.cxf:cxf-rt-rs-security-sso-saml; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-rt-rs-security-sso-saml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.18

Affected versions

2.*

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.11

2.6.12

2.6.13

2.6.14

2.6.15

2.6.16

2.6.17

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

2.7.13

2.7.14

2.7.15

2.7.16

2.7.17

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3336-h95j-hvvf/GHSA-3336-h95j-hvvf.json"

last_known_affected_version_range

"<= 2.7.17"

org.apache.cxf:cxf-rt-rs-security-sso-saml

Package

Name: org.apache.cxf:cxf-rt-rs-security-sso-saml; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-rt-rs-security-sso-saml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.7

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3336-h95j-hvvf/GHSA-3336-h95j-hvvf.json"

last_known_affected_version_range

"<= 3.0.6"

org.apache.cxf:cxf-rt-rs-security-sso-saml

Package

Name: org.apache.cxf:cxf-rt-rs-security-sso-saml; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-rt-rs-security-sso-saml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.3

Affected versions

3.*

3.1.0

3.1.1

3.1.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3336-h95j-hvvf/GHSA-3336-h95j-hvvf.json"

last_known_affected_version_range

"<= 3.1.2"