CVE-2015-5253

CWE-264 CWE-284 — Improper Access Control6 documents6 sources

Severity

4.0MEDIUM

EPSS

0.3%

top 43.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF

Timeline

PublishedNov 18

Latest updateMay 13

Description

The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages2 packages

▶Mavenorg.apache.cxf:cxf-rt-rs-security-sso-saml3.0.0 — 3.0.7+2

▶NVDapache/cxf3.0.0 — 3.0.7+2

🔴Vulnerability Details

GHSA

Improper Access Control in Apache CXF↗2022-05-13

▶

OSV

Improper Access Control in Apache CXF↗2022-05-13

▶

CVEList

CVE-2015-5253: The SAML Web SSO module in Apache CXF before 2↗2015-11-18

▶

📋Vendor Advisories

Red Hat

apache-cxf: SAML SSO processing is vulnerable to wrapping attack↗2015-11-14

▶

💬Community

Bugzilla

CVE-2015-5253 apache-cxf: SAML SSO processing is vulnerable to wrapping attack↗2015-11-16

▶