CVE-2017-7662 – org.apache.cxf.fediz:fediz-oidc

Package

Manager: maven
Name: org.apache.cxf.fediz:fediz-oidc
Vulnerable Version: >=0 <1.3.2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00848 pctl0.74013

Details

Cross-Site Request Forgery in Apache CXF Fediz Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc. A CSRF (Cross Style Request Forgery) style vulnerability has been found in this web application in Apache CXF Fediz prior to 1.4.0 and 1.3.2, meaning that a malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active.

Metadata

Created: 2022-05-13T01:09:19Z
Modified: 2022-11-01T22:50:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f5ch-36rg-vfcc/GHSA-f5ch-36rg-vfcc.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-f5ch-36rg-vfcc
Finding: F007
Auto approve: 1