CVE-2017-5656

CWE-3847 documents6 sources
Severity
7.5HIGH
EPSS
2.4%
top 14.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache CXFApache Software Foundation Apache CXF
Timeline
PublishedApr 18
Latest updateMay 13

Description

Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDapache/cxf3.0.03.0.13+1
Mavenorg.apache.cxf:cxf-core3.1.03.1.11+1
CVEListV5apache_software_foundation/apache_cxf3.1.x before 3.1.11, versions before 3.0.13+1

Patches

Patch: cxf.apache.orgPatch: cxf.apache.org

🔴Vulnerability Details

3
OSV
Session Fixation in Apache CXF2022-05-13
GHSA
Session Fixation in Apache CXF2022-05-13
CVEList
CVE-2017-5656: Apache CXF's STSClient before 32017-04-18

📋Vendor Advisories

1
Red Hat
cxf: CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens2017-04-05

💬Community

2
Bugzilla
CVE-2017-5653 CVE-2017-5656 cxf: various flaws [fedora-all]2017-04-25
Bugzilla
CVE-2017-5656 cxf: CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens2017-04-25
CVE-2017-5656 (HIGH CVSS 7.5) | Apache CXF's STSClient before 3.1.1 | cvebase.io