CVE-2017-5656
cxf: CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
Apache CXF's STSClient en versiones anteriores a 3.1.11 y 3.0.13 utiliza un modo defectuoso de los tokens de caché que están asociados al los tokens de delegación, lo que significa que el atacante puede modificar el token el cual puede devolver el identificador correspondiente al token de cacheo a otro usuario.
It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-01-29 CVE Reserved
- 2017-04-18 CVE Published
- 2023-07-23 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-384: Session Fixation
CAPEC
References (13)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc?version=1&modificationDate=1492515113282&api=v2 | 2023-11-07 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2017:1832 | 2023-11-07 | |
https://access.redhat.com/errata/RHSA-2018:1694 | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2017-5656 | 2018-05-22 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1445329 | 2018-05-22 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | >= 3.0.0 < 3.0.13 Search vendor "Apache" for product "Cxf" and version " >= 3.0.0 < 3.0.13" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | >= 3.1.0 < 3.1.11 Search vendor "Apache" for product "Cxf" and version " >= 3.1.0 < 3.1.11" | - |
Affected
|