Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXczZ2gtZzMybS1jdmhy

High severity vulnerability that affects org.apache.cxf.fediz:fediz-jetty8, org.apache.cxf.fediz:fediz-jetty9, org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf.fediz:fediz-spring3

Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.

Permalink: https://github.com/advisories/GHSA-w3gh-g32m-cvhr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXczZ2gtZzMybS1jdmhy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 6 years ago
Updated: almost 2 years ago


Identifiers: GHSA-w3gh-g32m-cvhr, CVE-2018-8038
References: Repository: https://github.com/apache/cxf-fediz
Blast Radius: 0.0

Affected Packages

maven:org.apache.cxf.fediz:fediz-jetty9
Dependent packages: 3
Dependent repositories: 2
Downloads:
Affected Version Ranges: < 1.4.4
Fixed in: 1.4.4
All affected versions: 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3
All unaffected versions: 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.7.0
maven:org.apache.cxf.fediz:fediz-jetty8
Dependent packages: 2
Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.4.4
Fixed in: 1.4.4
All affected versions: 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3
All unaffected versions: 1.4.4, 1.4.5, 1.4.6
maven:org.apache.cxf.fediz:fediz-spring3
Dependent packages: 2
Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.4.4
Fixed in: 1.4.4
All affected versions: 1.4.0, 1.4.1, 1.4.2, 1.4.3
All unaffected versions: 1.4.4, 1.4.5, 1.4.6
maven:org.apache.cxf.fediz:fediz-spring2
Dependent packages: 4
Dependent repositories: 2
Downloads:
Affected Version Ranges: < 1.4.4
Fixed in: 1.4.4
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3
All unaffected versions: 1.4.4, 1.4.5, 1.4.6
maven:org.apache.cxf.fediz:fediz-spring
Dependent packages: 9
Dependent repositories: 8
Downloads:
Affected Version Ranges: < 1.4.4
Fixed in: 1.4.4
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3
All unaffected versions: 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.7.0