CVE-2017-7662 Information

Description

Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service which is a simple web application that allows clients to be created deleted etc. A CSRF (Cross Style Request Forgery) style vulnerability has been found in this web application in Apache CXF Fediz prior to 1.4.0 and 1.3.2 meaning that a malicious web application could create new clients or reset secrets etc after the admin user has logged on to the client registration service and the session is still active.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

http://cxf.apache.org/security-advisories.data/CVE-2017-7662.txt.asc http://www.securitytracker.com/id/1038498 https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@3Ccommits.cxf.apache.org3E https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@3Ccommits.cxf.apache.org3E https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@3Ccommits.cxf.apache.org3E https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@3Ccommits.cxf.apache.org3E

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8