VulnerableCode Package Details - pkg:maven/org.apache.cxf.fediz/apache-fediz@1.2.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-3579-h8fu-j7e5 Aliases: CVE-2018-8038 GHSA-w3gh-g32m-cvhr	Improper Input Validation Versions of Apache CXF Fediz do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.	1.4.4 Affected by 0 other vulnerabilities.
VCID-kyy8-szgp-bkfh Aliases: CVE-2017-7662 GHSA-f5ch-36rg-vfcc	Cross-Site Request Forgery (CSRF) A malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active.	1.3.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.4.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-zw44-zqrm-jycc Aliases: CVE-2017-12631 GHSA-fv7x-4hpc-hf9f	Cross-Site Request Forgery (CSRF) Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins. The vulnerability can result in a security context that is set up using a malicious client's roles for the given enduser.	1.3.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.4.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3579-h8fu-j7e5
Aliases:
CVE-2018-8038
GHSA-w3gh-g32m-cvhr

Improper Input Validation Versions of Apache CXF Fediz do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.

1.4.4
Affected by 0 other vulnerabilities.

VCID-kyy8-szgp-bkfh
Aliases:
CVE-2017-7662
GHSA-f5ch-36rg-vfcc

Cross-Site Request Forgery (CSRF) A malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active.

1.3.3
Affected by 2 other vulnerabilities.

1.4.1
Affected by 2 other vulnerabilities.

VCID-zw44-zqrm-jycc
Aliases:
CVE-2017-12631
GHSA-fv7x-4hpc-hf9f

Cross-Site Request Forgery (CSRF) Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins. The vulnerability can result in a security context that is set up using a malicious client's roles for the given enduser.

1.3.3
Affected by 2 other vulnerabilities.

1.4.3
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:13:32.578427+00:00	GitLab Importer	Affected by	VCID-3579-h8fu-j7e5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf.fediz/apache-fediz/CVE-2018-8038.yml	38.6.0
2026-06-04T20:10:23.365680+00:00	GitLab Importer	Affected by	VCID-zw44-zqrm-jycc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf.fediz/apache-fediz/CVE-2017-12631.yml	38.6.0
2026-06-04T20:08:03.117852+00:00	GitLab Importer	Affected by	VCID-kyy8-szgp-bkfh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf.fediz/apache-fediz/CVE-2017-7662.yml	38.6.0