PT-2018-18398 · Apache · Apache Cxf Fediz

Published

2018-07-05

Updated

2021-06-16

CVE-2018-8038

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: Apache CXF Fediz versions prior to 1.4.4

Description: The issue concerns the incomplete disabling of Document Type Declarations (DTDs) in Apache CXF Fediz. This occurs when parsing the Identity Provider response in the application plugins or in the Identity Provider itself when parsing certain XML-based parameters.

Recommendations: For versions prior to 1.4.4, update to version 1.4.4 or later to fully disable Document Type Declarations (DTDs) and mitigate the issue.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2018-8038

GHSA-W3GH-G32M-CVHR

Affected Products

Apache Cxf Fediz

PT-2018-18398 · Apache · Apache Cxf Fediz

CVE-2018-8038

Weakness Enumeration

Related Identifiers

Affected Products

References · 21