Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/org.apache.cxf/cxf-core@3.0.12 |
|---|
| Type | maven |
|---|
| Namespace | org.apache.cxf |
|---|
| Name | cxf-core |
|---|
| Version | 3.0.12 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 3.0.13 |
|---|
| Latest_non_vulnerable_version | 4.0.4 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-2c8e-gctq-v3fh |
| vulnerability_id |
VCID-2c8e-gctq-v3fh |
| summary |
Improper Certificate Validation
JAX-RS XML Security streaming clients in Apache CXF does not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2017-5653, GHSA-hgg6-8x62-m9gf
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2c8e-gctq-v3fh |
|
| 1 |
| url |
VCID-hbak-tuxz-83e4 |
| vulnerability_id |
VCID-hbak-tuxz-83e4 |
| summary |
Session Fixation
Apache CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2017-5656, GHSA-v936-x3j5-c76j
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hbak-tuxz-83e4 |
|
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-3w9n-4sux-vyh5 |
| vulnerability_id |
VCID-3w9n-4sux-vyh5 |
| summary |
Cross-site Scripting
The HTTP transport module in Apache CXF uses `FormattedServiceListWriter` to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current `HttpServletRequest` which is used by `FormattedServiceListWriter` to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-6812, GHSA-vw2c-5wph-v92r
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3w9n-4sux-vyh5 |
|
| 1 |
| url |
VCID-wk5d-6usk-yyh2 |
| vulnerability_id |
VCID-wk5d-6usk-yyh2 |
| summary |
Improper Restriction of XML External Entity Reference
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2016-8739, GHSA-x7xf-253v-x3w8
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wk5d-6usk-yyh2 |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/cxf-core@3.0.12 |
|---|