Search for packages
| purl | pkg:maven/org.apache.cxf/cxf-rt-rs-security-oauth2@3.0.0-milestone1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-tujp-5vda-b3c5
Aliases: CVE-2021-22696 GHSA-7q4h-pj78-j7vg |
Authorization service vulnerable to DDos attacks in Apache CFX CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-08-01T09:51:19.460418+00:00 | GitLab Importer | Affected by | VCID-tujp-5vda-b3c5 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf-rt-rs-security-oauth2/CVE-2021-22696.yml | 37.0.0 |