Описание
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
Ссылки
- PatchVendor Advisory
- Third Party AdvisoryVDB Entry
- Third Party AdvisoryVDB Entry
- Issue Tracking
- Issue Tracking
- PatchVendor Advisory
- Third Party AdvisoryVDB Entry
- Third Party AdvisoryVDB Entry
- Issue Tracking
- Issue Tracking
Уязвимые конфигурации
Конфигурация 1Версия от 3.0.0 (включая) до 3.0.13 (исключая)Версия от 3.1.0 (включая) до 3.1.11 (исключая)
Одно из
cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
EPSS
Процентиль: 88%
0.03801
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-384
Связанные уязвимости
CVSS3: 5.3
redhat
почти 9 лет назад
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
EPSS
Процентиль: 88%
0.03801
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-384