CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 1CVE-2018-8038
https://notcve.org/view.php?id=CVE-2018-8038
Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters. Las versiones de Apache CXF Fediz anteriores a la 1.4.4 no deshabilitan completamente las Document Type Declarations (DTDs) al analizar la respuesta Identity Provider en los plugins de la aplicación o en el propio Identity Provider al analizar ciertos parámetros basados en XML. • https://github.com/tafamace/CVE-2018-8038 http://cxf.apache.org/security-advisories.data/CVE-2018-8038.txt.asc http://www.securitytracker.com/id/1041220 https://github.com/apache/cxf-fediz/commit/b6ed9865d0614332fa419fe4b6d0fe81bc2e660d https://lists.apache.org/thread.html/f0a6a05ec3b3a00458da43712b0ff3a2f573175d9bfb39fb0de21424%40%3Cdev.cxf.apache.org%3E https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb07 • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 1CVE-2018-8039 – apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.*
https://notcve.org/view.php?id=CVE-2018-8039
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks. • https://github.com/tafamace/CVE-2018-8039 http://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2 http://www.securityfocus.com/bid/106357 http://www.securitytracker.com/id/1041199 https://access.redhat.com/errata/RHSA-2018:2276 https://access.redhat.com/errata/RHSA-2018:2277 https://access.redhat.com/errata/RHSA-2018:2279 https://access.redhat.com/errata/RHSA-2018:2423 https://access.redhat.com/errata/RHSA-2018:2424 htt • CWE-248: Uncaught Exception CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-12631
https://notcve.org/view.php?id=CVE-2017-12631
Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins in versions before 1.4.3 and 1.3.3. The vulnerability can result in a security context that is set up using a malicious client's roles for the given enduser. Apache CXF Fediz se envía con un número de plugins específicos del contenedor para habilitar WS-Federation para aplicaciones. Se ha encontrado una vulnerabilidad de estilo CSRF (Cross Style Request Forgery) en los plugins Spring 2, Spring 3 y Spring 4 en versiones anteriores a la 1.4.3 y la 1.3.3. • http://cxf.547215.n5.nabble.com/Apache-CXF-Fediz-1-4-3-and-1-3-3-released-with-a-new-security-advisory-CVE-2017-12631-td5785868.html http://www.securityfocus.com/bid/102127 http://www.securitytracker.com/id/1040487 https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 1CVE-2017-12624 – cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services
https://notcve.org/view.php?id=CVE-2017-12624
Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size". • https://github.com/tafamace/CVE-2017-12624 http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc http://www.securityfocus.com/bid/101859 http://www.securitytracker.com/id/1040486 https://access.redhat.com/errata/RHSA-2018:2423 https://access.redhat.com/errata/RHSA-2018:2424 https://access.redhat.com/errata/RHSA-2018:2425 https://access.redhat.com/errata/RHSA-2018:2428 https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.a • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2017-3156 – cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks
https://notcve.org/view.php?id=CVE-2017-3156
The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks. OAuth2 Hawk y JOSE MAC en Apache CXF en versiones anteriores a la 3.0.13 y en versiones 3.1.x anteriores a la 3.1.10 no emplean un algoritmo de comparación de firma MAC de tiempo constante, lo que podría ser explotado por ataques basados en tiempo sofisticados. It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. • http://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc http://www.securityfocus.com/bid/96398 https://access.redhat.com/errata/RHSA-2017:1832 https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E https://lists.ap • CWE-385: Covert Timing Channel •