CVE-2017-7661 — Cross-Site Request Forgery in Apache CXF Fediz

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.9%

top 23.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF Fediz Apache Software Foundation Apache CXF Fediz

Timeline

PublishedMay 16

Latest updateOct 18

Description

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3, Jetty 8 and Jetty 9 plugins in Apache CXF Fediz prior to 1.4.0, 1.3.2 and 1.2.4.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_cxf_fedizprior to 1.4.0, 1.3.2 and 1.2.4.

▶NVDapache/cxf_fediz1.4.0+2

Patches

Patch: cxf.apache.org ↗Patch: cxf.apache.org ↗

🔴Vulnerability Details

GHSA

Moderate severity vulnerability that affects org.apache.cxf.fediz:fediz-jetty8, org.apache.cxf.fediz:fediz-jetty9, and org.apache.cxf.fediz:fediz-spring2↗2018-10-18

▶

OSV

Moderate severity vulnerability that affects org.apache.cxf.fediz:fediz-jetty8, org.apache.cxf.fediz:fediz-jetty9, and org.apache.cxf.fediz:fediz-spring2↗2018-10-18

▶

CVEList

CVE-2017-7661: Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications↗2017-05-16

▶