Описание
Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc. A CSRF (Cross Style Request Forgery) style vulnerability has been found in this web application in Apache CXF Fediz prior to 1.4.0 and 1.3.2, meaning that a malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active.
Ссылки
- PatchVendor Advisory
- PatchVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.3.2 (включая)
Одно из
cpe:2.3:a:apache:cxf_fediz:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:cxf_fediz:1.4.0:*:*:*:*:*:*:*
EPSS
Процентиль: 74%
0.00848
Низкий
8.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-352
Связанные уязвимости
EPSS
Процентиль: 74%
0.00848
Низкий
8.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-352