CVE-2017-5656

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Cxf
Vendor: CVE Published:; 18 April 2017

Summary

Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.

Affected Version(s)

Apache CXF 3.1.x before 3.1.11

Apache CXF versions before 3.0.13

References

https://access.redhat.com/errata/RHSA-2017:1832

vendor-advisoryx_refsource_REDHAT

http://www.securitytracker.com/id/1038282

vdb-entryx_refsource_SECTRACK

http://cxf.apache.org/security-advisories.data/CVE-2017-5...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 18, 2017
Vulnerability Reserved
Jan 29, 2017

.