Skip to content

Moderate severity vulnerability that affects org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf.fediz:fediz-spring3

Moderate severity GitHub Reviewed Published Oct 18, 2018 to the GitHub Advisory Database • Updated Apr 12, 2024

Package

maven org.apache.cxf.fediz:fediz-spring (Maven)

Affected versions

< 1.3.3
>= 1.4.0, < 1.4.3

Patched versions

1.3.3
1.4.3
maven org.apache.cxf.fediz:fediz-spring2 (Maven)
< 1.3.3
>= 1.4.0, < 1.4.3
1.3.3
1.4.3
maven org.apache.cxf.fediz:fediz-spring3 (Maven)
< 1.3.3
>= 1.4.0, < 1.4.3
1.3.3
1.4.3

Description

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins in versions before 1.4.3 and 1.3.3. The vulnerability can result in a security context that is set up using a malicious client's roles for the given enduser.

References

Published by the National Vulnerability Database Nov 30, 2017
Published to the GitHub Advisory Database Oct 18, 2018
Reviewed Jun 16, 2020
Last updated Apr 12, 2024

Severity

Moderate

EPSS score

0.470%
(75th percentile)

Weaknesses

CVE ID

CVE-2017-12631

GHSA ID

GHSA-fv7x-4hpc-hf9f

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.