CVE-2018-8038Improper Input Validation in Apache CXF Fediz

CWE-20Improper Input Validation4 documents4 sources
Severity
7.5HIGHNVD
EPSS
50.4%
top 2.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache CXF FedizApache Software Foundation Apache CXF Fediz
Timeline
PublishedJul 5
Latest updateOct 18

Description

Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDapache/cxf_fediz< 1.4.4

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
High severity vulnerability that affects org.apache.cxf.fediz:fediz-jetty8, org.apache.cxf.fediz:fediz-jetty9, org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf2018-10-18
OSV
High severity vulnerability that affects org.apache.cxf.fediz:fediz-jetty8, org.apache.cxf.fediz:fediz-jetty9, org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf2018-10-18
CVEList
CVE-2018-8038: Versions of Apache CXF Fediz prior to 12018-07-05
CVE-2018-8038 — Improper Input Validation in Apache | cvebase