GHSA-qpwj-mvv7-v3m9

Suggest an improvement
Source
https://github.com/advisories/GHSA-qpwj-mvv7-v3m9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qpwj-mvv7-v3m9/GHSA-qpwj-mvv7-v3m9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-qpwj-mvv7-v3m9
Aliases
Published
2018-10-18T16:57:10Z
Modified
2024-12-02T05:47:49.987382Z
Summary
High severity vulnerability that affects org.apache.cxf.fediz:fediz-spring and org.apache.cxf.fediz:fediz-spring2
Details

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.

Database specific
{
    "nvd_published_at": "2016-09-21T18:59:00Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:52:31Z"
}
References

Affected packages

Maven / org.apache.cxf.fediz:fediz-spring

Package

Name
org.apache.cxf.fediz:fediz-spring
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cxf.fediz/fediz-spring

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.2.0
Fixed
1.2.3

Affected versions

1.*

1.2.0
1.2.1
1.2.2

Maven / org.apache.cxf.fediz:fediz-spring

Package

Name
org.apache.cxf.fediz:fediz-spring
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cxf.fediz/fediz-spring

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.3.1

Affected versions

1.*

1.3.0

Maven / org.apache.cxf.fediz:fediz-spring2

Package

Name
org.apache.cxf.fediz:fediz-spring2
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cxf.fediz/fediz-spring2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.2.0
Fixed
1.2.3

Affected versions

1.*

1.2.0
1.2.1
1.2.2

Maven / org.apache.cxf.fediz:fediz-spring2

Package

Name
org.apache.cxf.fediz:fediz-spring2
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cxf.fediz/fediz-spring2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.3.1

Affected versions

1.*

1.3.0