Описание
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | cxf | Not affected | ||
| Red Hat JBoss BRMS 5 | cxf | Not affected | ||
| Red Hat JBoss BRMS 6 | cxf | Not affected | ||
| Red Hat JBoss Data Grid 6 | cxf | Not affected | ||
| Red Hat JBoss Data Virtualization 6 | cxf | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | cxf | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | cxf | Not affected | ||
| Red Hat JBoss Fuse Service Works 6 | cxf | Not affected | ||
| Red Hat JBoss Operations Network 3 | cxf | Not affected | ||
| Red Hat JBoss Portal 6 | cxf | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
EPSS
5.3 Medium
CVSS3