CVE-2017-7662Cross-Site Request Forgery in Apache CXF Fediz

CWE-352Cross-Site Request Forgery4 documents4 sources
Severity
8.8HIGHNVD
EPSS
1.0%
top 23.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache CXF FedizApache Software Foundation Apache CXF Fediz
Timeline
PublishedMay 16
Latest updateMay 13

Description

Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc. A CSRF (Cross Style Request Forgery) style vulnerability has been found in this web application in Apache CXF Fediz prior to 1.4.0 and 1.3.2, meaning that a malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the sessi

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5apache_software_foundation/apache_cxf_fedizprior to 1.4.0, 1.3.2 and 1.2.4.
NVDapache/cxf_fediz1.3.2+1

Patches

Patch: cxf.apache.orgPatch: cxf.apache.org

🔴Vulnerability Details

3
GHSA
Cross-Site Request Forgery in Apache CXF Fediz2022-05-13
OSV
Cross-Site Request Forgery in Apache CXF Fediz2022-05-13
CVEList
CVE-2017-7662: Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows cl2017-05-16
CVE-2017-7662 — Cross-Site Request Forgery in Apache | cvebase