Description

Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.

Remediation

References

https://github.com/apache/cxf-fediz/commit/b6ed9865d0614332fa419fe4b6d0fe81bc2e660d

http://cxf.apache.org/security-advisories.data/CVE-2018-8038.txt.asc

http://www.securitytracker.com/id/1041220

https://lists.apache.org/thread.html/f0a6a05ec3b3a00458da43712b0ff3a2f573175d9bfb39fb0de21424%40%3Cdev.cxf.apache.org%3E

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

Related Vulnerabilities

CVE-2023-31579 Vulnerability in maven package top.tangyh.basic:lamp-util

CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-dbcp-service

CVE-2023-32070 Vulnerability in maven package org.xwiki.rendering:xwiki-rendering-syntax-html5

CVE-2024-22207 Vulnerability in npm package @fastify/swagger-ui

CVE-2017-12647 Vulnerability in maven package com.liferay:com.liferay.knowledge.base.service

Severity

High

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Patch Third Party Advisory Vendor Advisory VDB Entry