CVE-2016-4464

CWE-284 — Improper Access Control4 documents4 sources

Severity

9.8CRITICAL

EPSS

2.1%

top 16.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF Fediz

Timeline

PublishedSep 21

Latest updateOct 18

Description

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.cxf.fediz:fediz-spring1.2.0 — 1.2.3+1

▶Mavenorg.apache.cxf.fediz:fediz-spring21.2.0 — 1.2.3+1

▶NVDapache/cxf_fediz4 versions+3

🔴Vulnerability Details

OSV

High severity vulnerability that affects org.apache.cxf.fediz:fediz-spring and org.apache.cxf.fediz:fediz-spring2↗2018-10-18

▶

GHSA

High severity vulnerability that affects org.apache.cxf.fediz:fediz-spring and org.apache.cxf.fediz:fediz-spring2↗2018-10-18

▶

CVEList

CVE-2016-4464: The application plugins in Apache CXF Fediz 1↗2016-09-21

▶