CVE-2017-12631
HIGH
8,8
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
MEDIUM
6,8
Source: [email protected]
Access Vector: network
Access Complexity: medium
Authentication: none
Confidentiality: partial
Integrity: partial
Availability: partial
Description
AI Translation Available
Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins in versions before 1.4.3 and 1.3.3. The vulnerability can result in a security context that is set up using a malicious client's roles for the given enduser.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0137
Percentile
0,8th
Updated
EPSS Score Trend (Last 91 Days)
352
Cross-Site Request Forgery (CSRF)
StableCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Availability
Non-Repudiation
Access Control
Potential Impacts:
Gain Privileges Or Assume Identity
Bypass Protection Mechanism
Read Application Data
Modify Application Data
Dos: Crash, Exit, Or Restart
Applicable Platforms
Technologies:
Web Based, Web Server
Application
Cxf Fediz by Apache
CPE Identifier
View Detailed Analysis
cpe:2.3:a:apache:cxf_fediz:1.4.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Cxf Fediz by Apache
CPE Identifier
View Detailed Analysis
cpe:2.3:a:apache:cxf_fediz:1.4.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Cxf Fediz by Apache
Version Range Affected
To
1.3.3
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:apache:cxf_fediz:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Cxf Fediz by Apache
CPE Identifier
View Detailed Analysis
cpe:2.3:a:apache:cxf_fediz:1.4.2:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
http://cxf.547215.n5.nabble.com/Apache-CXF-Fediz-1-4-3-and-1-3-3-released-with-…
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de1…
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2…
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2f…
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba…
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad4…
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a…
http://www.securityfocus.com/bid/102127
http://www.securitytracker.com/id/1040487
http://cxf.547215.n5.nabble.com/Apache-CXF-Fediz-1-4-3-and-1-3-3-released-with-…
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de1…
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2…
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2f…
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba…
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad4…
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a…
http://www.securityfocus.com/bid/102127
http://www.securitytracker.com/id/1040487