CSRF Vulnerability in Apache CXF Fediz Plugin for Spring Framework
CVE-2017-12631

8.8HIGH

Key Information:

Vendor
Apache
Status
Apache Cxf Fediz
Vendor
CVE Published:
30 November 2017

Summary

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Apache CXF Fediz plugin for the Spring Framework, specifically impacting versions prior to 1.4.3 for Spring 2.x, 3.x, and 4.x. This vulnerability could allow a malicious actor to manipulate the security context of an application by injecting roles into the end user's session. As a consequence, unauthorized actions may be permitted under the impersonated user's privileges, posing significant security risks for applications utilizing these frameworks.

Affected Version(s)

Apache CXF Fediz 1.4.x prior to 1.4.3

Apache CXF Fediz prior to 1.3.3

References

http://www.securitytracker.com/id/1040487
vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/102127
vdb-entryx_refsource_BID
http://cxf.547215.n5.nabble.com/Apache-CXF-Fediz-1-4-3-an...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.