PT-2016-5964 · Apache · Apache Cxf Fediz

Colm O Heigeartaigh

Published

2016-07-05

Updated

2021-06-16

CVE-2016-4464

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache CXF Fediz versions 1.2.x through 1.2.2 Apache CXF Fediz versions 1.3.x through 1.3.0

Description The issue is related to the application plugins in Apache CXF Fediz, where SAML AudienceRestriction values are not properly matched against configured audience URIs. This could allow remote attackers to bypass intended restrictions by using a crafted SAML token with a trusted signature.

Recommendations For Apache CXF Fediz versions 1.2.x through 1.2.2, update to version 1.2.3 or later. For Apache CXF Fediz versions 1.3.x through 1.3.0, update to version 1.3.1 or later.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2016-4464

GHSA-QPWJ-MVV7-V3M9

MGASA-2016-0243

Affected Products

Apache Cxf Fediz

PT-2016-5964 · Apache · Apache Cxf Fediz

CVE-2016-4464

Weakness Enumeration

Related Identifiers

Affected Products

References · 26