CVE-2017-3156

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-3156

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-3156.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2017-3156

Aliases

GHSA-qc2p-q7x9-v64p

Published

2017-08-10T18:29:00Z

Modified

2024-10-12T02:43:34.876383Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

References

Affected packages

Git / github.com/apache/cxf

Affected ranges

Type: GIT
Repo: https://github.com/apache/cxf
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

16d789c4a913e0cac51bcf929331abe84010ce1e

Last affected

32a346e82042e99336732056e2ec81ebc27f075e

Last affected

7cd4d49a7fe7d24a715192112a2170bdd708e6c7

Last affected

8632867df4b542aeb158aa8d13d08ff6e31c4b4f

Last affected

a04a1e06f7fffc5f145e33c6832f31b04782516b

Last affected

bc9e3714adc8848f37694eea62d33748b01fbb91

Last affected

bf2f1008a84e03aded4dc2f6b0e1b7560d6a666a

Last affected

c98cb3181ae1153c37240a851aefe8e4f3a40ae9

Last affected

cdafd372c60b7e19229d7e6a91fc69b9c5dbc69c

Last affected

f3185100ec7caea0ac4b52108210ed7e68e85271

Last affected

f772a196f03f696d9410e2bfcda8edc75c5a5ce4

Affected versions

cxf-2.*

cxf-2.1

cxf-2.1.2

cxf-2.2

cxf-2.2.1

cxf-2.2.2

cxf-2.3.0

cxf-2.4.0

cxf-2.5.0

cxf-2.5.1

cxf-2.6.0

cxf-2.6.1

cxf-2.7.0

cxf-2.7.1

cxf-2.7.2

cxf-3.*

cxf-3.0.0

cxf-3.0.0-milestone2

cxf-3.0.1

cxf-3.0.10

cxf-3.0.11

cxf-3.0.12

cxf-3.0.2

cxf-3.0.3

cxf-3.0.4

cxf-3.0.5

cxf-3.0.6

cxf-3.0.7

cxf-3.0.8

cxf-3.0.9

cxf-3.1.0

cxf-3.1.1

cxf-3.1.2

cxf-3.1.3

cxf-3.1.4