GHSA-fv7x-4hpc-hf9f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fv7x-4hpc-hf9f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-fv7x-4hpc-hf9f/GHSA-fv7x-4hpc-hf9f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fv7x-4hpc-hf9f
- Aliases
- Published
- 2018-10-18T16:57:21Z
- Modified
- 2024-12-03T06:08:37.329314Z
- Summary
- Moderate severity vulnerability that affects org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf.fediz:fediz-spring3
- Details
-
Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins in versions before 1.4.3 and 1.3.3. The vulnerability can result in a security context that is set up using a malicious client's roles for the given enduser.
- Database specific
{ "nvd_published_at": "2017-11-30T14:29:00Z", "cwe_ids": [ "CWE-352" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:35:15Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-12631
- https://github.com/apache/cxf-fediz/commit/48dd9b68d67c6b729376c1ce8886f52a57df6c45
- https://github.com/apache/cxf-fediz/commit/ccdb12b26ff89e0a998a333e84dd84bd713ac76c
- https://github.com/advisories/GHSA-fv7x-4hpc-hf9f
- https://github.com/apache/cxf-fediz
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- https://web.archive.org/web/20180122175008/http://cxf.547215.n5.nabble.com/Apache-CXF-Fediz-1-4-3-and-1-3-3-released-with-a-new-security-advisory-CVE-2017-12631-td5785868.html
- https://web.archive.org/web/20201208184733/http://www.securitytracker.com/id/1040487
- http://www.securityfocus.com/bid/102127
Affected packages
Maven / org.apache.cxf.fediz:fediz-spring2
Package
- Name
- org.apache.cxf.fediz:fediz-spring2
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.cxf.fediz/fediz-spring2
Maven / org.apache.cxf.fediz:fediz-spring2
Package
- Name
- org.apache.cxf.fediz:fediz-spring2
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.cxf.fediz/fediz-spring2
Maven / org.apache.cxf.fediz:fediz-spring3
Package
- Name
- org.apache.cxf.fediz:fediz-spring3
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.cxf.fediz/fediz-spring3
Maven / org.apache.cxf.fediz:fediz-spring3
Package
- Name
- org.apache.cxf.fediz:fediz-spring3
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.cxf.fediz/fediz-spring3
Maven / org.apache.cxf.fediz:fediz-spring
Package
- Name
- org.apache.cxf.fediz:fediz-spring
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.cxf.fediz/fediz-spring
Maven / org.apache.cxf.fediz:fediz-spring
Package
- Name
- org.apache.cxf.fediz:fediz-spring
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.cxf.fediz/fediz-spring