CVE-2017-12631

CWE-352 — Cross-Site Request Forgery (CSRF)4 documents4 sources

Severity

8.8HIGH

EPSS

1.4%

top 19.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF Fediz Apache Software Foundation Apache CXF Fediz

Timeline

PublishedNov 30

Latest updateOct 18

Description

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins in versions before 1.4.3 and 1.3.3. The vulnerability can result in a security context that is set up using a malicious client's roles for the given enduser.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶Mavenorg.apache.cxf.fediz:fediz-spring1.4.0 — 1.4.3+1

▶Mavenorg.apache.cxf.fediz:fediz-spring21.4.0 — 1.4.3+1

▶Mavenorg.apache.cxf.fediz:fediz-spring31.4.0 — 1.4.3+1

▶CVEListV5apache_software_foundation/apache_cxf_fediz1.4.x prior to 1.4.3, prior to 1.3.3+1

▶NVDapache/cxf_fediz< 1.3.3+3

🔴Vulnerability Details

GHSA

Moderate severity vulnerability that affects org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf.fediz:fediz-spring3↗2018-10-18

▶

OSV

Moderate severity vulnerability that affects org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf.fediz:fediz-spring3↗2018-10-18

▶

CVEList

CVE-2017-12631: Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications↗2017-11-30

▶