Skip to main content

CVE-2017-5656

Severity

3.5

Description

Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Project

Apache TomEE

Category
Apache CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens.
Tags
data
Date Disclosed

2017-04-18

Date Discovered

2017-01-29

Apache TomEE 7.0.x

First release:
2016-05-17
CVEs:
111
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.7.x

First release:
2014-08-09
CVEs:
95
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.6.x

First release:
2013-11-17
CVEs:
108
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.5.x

First release:
2012-09-28
CVEs:
119
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.0.x

First release:
2012-04-27
CVEs:
130
Support Lifecycle:
Namespace:
javax
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.