CVE-2016-4464

9.8CRITICAL

Key Information:

Vendor
Apache
Status
Cxf Fediz
Vendor
CVE Published:
21 September 2016

Summary

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.

References

http://www.securitytracker.com/id/1036869
vdb-entryx_refsource_SECTRACK
http://cxf.apache.org/security-advisories.data/CVE-2016-4...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/92905
vdb-entryx_refsource_BID

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.