GHSA-f5ch-36rg-vfcc

Suggest an improvement
Source
https://github.com/advisories/GHSA-f5ch-36rg-vfcc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f5ch-36rg-vfcc/GHSA-f5ch-36rg-vfcc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f5ch-36rg-vfcc
Aliases
Published
2022-05-13T01:09:19Z
Modified
2024-02-16T08:11:54.586227Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Cross-Site Request Forgery in Apache CXF Fediz
Details

Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc. A CSRF (Cross Style Request Forgery) style vulnerability has been found in this web application in Apache CXF Fediz prior to 1.4.0 and 1.3.2, meaning that a malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active.

Database specific 
{
    "nvd_published_at": "2017-05-16T17:29:00Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-01T22:50:47Z"
}
References

Affected packages

Maven / org.apache.cxf.fediz:fediz-oidc

Package

Name
org.apache.cxf.fediz:fediz-oidc
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cxf.fediz/fediz-oidc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.2

Affected versions

1.*

1.3.0
1.3.1