CVE-2021-22696 – org.apache.cxf:cxf

Package

Manager: maven
Name: org.apache.cxf:cxf
Vulnerable Version: >=3.4.0 <3.4.3 || >=0 <3.3.10

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00487 pctl0.64467

Details

Authorization service vulnerable to DDos attacks in Apache CFX CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

Metadata

Created: 2021-05-13T22:31:05Z
Modified: 2021-10-21T17:14:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-7q4h-pj78-j7vg/GHSA-7q4h-pj78-j7vg.json
CWE IDs: ["CWE-400", "CWE-918"]
Alternative ID: GHSA-7q4h-pj78-j7vg
Finding: F100
Auto approve: 1