GHSA-v936-x3j5-c76j

Source

https://github.com/advisories/GHSA-v936-x3j5-c76j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v936-x3j5-c76j/GHSA-v936-x3j5-c76j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v936-x3j5-c76j

Aliases

CVE-2017-5656

Published

2022-05-13T01:09:19Z

Modified

2024-02-22T05:34:09.525375Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Session Fixation in Apache CXF

Details

Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.

Database specific

{
    "nvd_published_at": "2017-04-18T16:59:00Z",
    "cwe_ids": [
        "CWE-384"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-01T11:58:52Z"
}

References

Affected packages

Maven / org.apache.cxf:cxf-core

Package

Name: org.apache.cxf:cxf-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.11

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

Database specific

{
    "last_known_affected_version_range": "<= 3.1.10"
}

Maven / org.apache.cxf:cxf-core

Package

Name: org.apache.cxf:cxf-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.13

Affected versions

3.*

3.0.0-milestone1

3.0.0-milestone2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

Database specific

{
    "last_known_affected_version_range": "<= 3.0.12"
}