CVE-2014-0034

CWE-20 — Improper Input Validation CWE-3459 documents7 sources

Severity

4.3MEDIUM

EPSS

1.9%

top 16.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF Redhat Jboss Enterprise Application Platform

Timeline

PublishedJul 7

Latest updateMay 13

Description

The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶Mavenorg.apache.cxf:cxf-rt-ws-security2.7.0 — 2.7.9+1

▶NVDapache/cxf2.6.11+20

▶NVDredhat/jboss_enterprise_application_platform6.0.0, 6.2.0+1

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

Improper Input Validation in Apache CXF↗2022-05-13

▶

OSV

Improper Input Validation in Apache CXF↗2022-05-13

▶

CVEList

CVE-2014-0034: The SecurityTokenService (STS) in Apache CXF before 2↗2014-07-07

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free / Memory Corruption (PoC) (MS14-035)↗2014-07-08

▶

📋Vendor Advisories

Red Hat

CXF: The SecurityTokenService accepts certain invalid SAML Tokens as valid↗2014-05-01

▶

💬Community

Bugzilla

CVE-2014-0034 Apache CXF: The SecurityTokenService accepts certain invalid SAML Tokens as valid [fedora-all]↗2014-05-07

▶

Bugzilla

CVE-2014-0034 Apache CXF: The SecurityTokenService accepts certain invalid SAML Tokens as valid↗2014-05-02

▶

Bugzilla

CVE-2014-0171 Odata4j: XML eXternal Entity (XXE) flaw↗2014-04-08

▶