CVE-2018-8038 – org.apache.cxf.fediz:fediz-jetty9

Package

Manager: maven
Name: org.apache.cxf.fediz:fediz-jetty9
Vulnerable Version: >=0 <1.4.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.40655 pctl0.97276

Details

High severity vulnerability that affects org.apache.cxf.fediz:fediz-jetty8, org.apache.cxf.fediz:fediz-jetty9, org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf.fediz:fediz-spring3 Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.

Metadata

Created: 2018-10-18T16:56:47Z
Modified: 2020-06-16T21:59:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-w3gh-g32m-cvhr/GHSA-w3gh-g32m-cvhr.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-w3gh-g32m-cvhr
Finding: F184
Auto approve: 1