CVE-2017-3156 – cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks
https://notcve.org/view.php?id=CVE-2017-3156
The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks. OAuth2 Hawk y JOSE MAC en Apache CXF en versiones anteriores a la 3.0.13 y en versiones 3.1.x anteriores a la 3.1.10 no emplean un algoritmo de comparación de firma MAC de tiempo constante, lo que podría ser explotado por ataques basados en tiempo sofisticados. It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. • http://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc http://www.securityfocus.com/bid/96398 https://access.redhat.com/errata/RHSA-2017:1832 https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E https://lists.ap • CWE-385: Covert Timing Channel •
CVE-2016-6812 – apache-cxf: XSS in Apache CXF FormattedServiceListWriter
https://notcve.org/view.php?id=CVE-2016-6812
The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client. El módulo de transporte HTTP en Apache CXF anterior a su versión 3.0.12 y en versiones 3.1.x anteriores a 3.1.9 utiliza FormattedServiceListWriter para proporcionar una página HTML que enumera los nombres y URL absolutas de endpoints de servicio disponibles. • http://cxf.apache.org/security-advisories.data/CVE-2016-6812.txt.asc http://www.securityfocus.com/bid/97582 http://www.securitytracker.com/id/1037543 https://access.redhat.com/errata/RHSA-2017:0868 https://issues.apache.org/jira/browse/CXF-6216 https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/th • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-8739 – apache-cxf: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE
https://notcve.org/view.php?id=CVE-2016-8739
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk. El módulo JAX-RS en Apache CXF anterior a 3.0.12 y en sus versiones 3.1.x anteriores a 3.1.9 proporciona un número de Atom JAX-RS MessageBodyReaders. Estos lectores emplean Apache Abdera Parser que expande las entidades XML por defecto. Esto representa un gran riesgo de XXE. • http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc http://www.securityfocus.com/bid/97579 http://www.securitytracker.com/id/1037544 https://access.redhat.com/errata/RHSA-2017:0868 https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Cco • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2015-5253 – apache-cxf: SAML SSO processing is vulnerable to wrapping attack
https://notcve.org/view.php?id=CVE-2015-5253
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack." El módulo Web SSO SAML en Apache CXF en versiones anteriores a 2.7.18, 3.0.x en versiones anteriores a 3.0.7 y 3.1.x en versiones anteriores a 3.1.3 permite a usuarios remotos autenticados eludir la autenticación a través de una respuesta SAML manipulada con una aserción firmada valida, relacionado con un 'wrapping attack.' It was found that Apache CXF permitted wrapping attacks in its support for SAML SSO. A malicious user could construct a SAML response that would bypass the login screen and possibly gain access to restricted information or resources. • http://cxf.apache.org/security-advisories.data/CVE-2015-5253.txt.asc http://rhn.redhat.com/errata/RHSA-2016-0321.html http://www.openwall.com/lists/oss-security/2015/11/14/1 http://www.securitytracker.com/id/1034162 https://git-wip-us.apache.org/repos/asf?p=cxf.git%3Ba=commitdiff%3Bh=845eccb6484b43ba02875c71e824db23ae4f20c0 https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-3584 – CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens
https://notcve.org/view.php?id=CVE-2014-3584
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service. SamlHeaderInHandler en Apache CXF anterior a 2.6.11, 2.7.x anterior a 2.7.8, y 3.0.x anterior a 3.0.1 permite a atacantes remotos causar una denegación de servicio (bucle infinito) a través de un token SAML manipulado en la cabecera de autorización de una solicitud hacia un servicio JAX-RS. • http://cxf.apache.org/security-advisories.data/CVE-2014-3584.txt.asc http://seclists.org/oss-sec/2014/q4/437 http://secunia.com/advisories/61909 http://www.securityfocus.com/bid/70738 https://exchange.xforce.ibmcloud.com/vulnerabilities/97753 https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/thread. • CWE-399: Resource Management Errors CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •