GHSA-whw7-h25v-9qvx

Source

https://github.com/advisories/GHSA-whw7-h25v-9qvx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-whw7-h25v-9qvx/GHSA-whw7-h25v-9qvx.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-whw7-h25v-9qvx

Aliases

CVE-2017-7661

Published

2018-10-18T16:56:38Z

Modified

2024-12-02T05:43:10.364442Z

Summary

Moderate severity vulnerability that affects org.apache.cxf.fediz:fediz-jetty8, org.apache.cxf.fediz:fediz-jetty9, and org.apache.cxf.fediz:fediz-spring2

Details

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3, Jetty 8 and Jetty 9 plugins in Apache CXF Fediz prior to 1.4.0, 1.3.2 and 1.2.4.

Database specific

{
    "github_reviewed_at": "2020-06-16T22:00:38Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ],
    "nvd_published_at": "2017-05-16T17:29:00Z"
}

References

Affected packages

Maven

org.apache.cxf.fediz:fediz-spring2

Package

Name: org.apache.cxf.fediz:fediz-spring2; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf.fediz/fediz-spring2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.3.0

Fixed

1.3.2

Affected versions

1.*

1.3.0

1.3.1

org.apache.cxf.fediz:fediz-spring2

Package

Name: org.apache.cxf.fediz:fediz-spring2; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf.fediz/fediz-spring2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.4

Affected versions

1.*

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0

1.2.1

1.2.2

1.2.3

org.apache.cxf.fediz:fediz-jetty9

Package

Name: org.apache.cxf.fediz:fediz-jetty9; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf.fediz/fediz-jetty9

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.2

Affected versions

1.*

1.3.0

1.3.1

org.apache.cxf.fediz:fediz-jetty8

Package

Name: org.apache.cxf.fediz:fediz-jetty8; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf.fediz/fediz-jetty8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.2

Affected versions

1.*

1.3.0

1.3.1