CVE-2014-0034: Input Validation
First published: Fri May 02 2014(Updated: )
The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache CXF | <=2.6.11 | |
| Apache CXF | =2.6.0 | |
| Apache CXF | =2.6.1 | |
| Apache CXF | =2.6.2 | |
| Apache CXF | =2.6.3 | |
| Apache CXF | =2.6.4 | |
| Apache CXF | =2.6.5 | |
| Apache CXF | =2.6.6 | |
| Apache CXF | =2.6.7 | |
| Apache CXF | =2.6.8 | |
| Apache CXF | =2.6.9 | |
| Apache CXF | =2.6.10 | |
| Redhat Jboss Enterprise Application Platform | =6.0.0 | |
| Redhat Jboss Enterprise Application Platform | =6.2.0 | |
| Apache CXF | =2.7.0 | |
| Apache CXF | =2.7.1 | |
| Apache CXF | =2.7.2 | |
| Apache CXF | =2.7.3 | |
| Apache CXF | =2.7.4 | |
| Apache CXF | =2.7.5 | |
| Apache CXF | =2.7.6 | |
| Apache CXF | =2.7.7 | |
| Apache CXF | =2.7.8 | |
| maven/org.apache.cxf:cxf-rt-ws-security | >=2.7.0<2.7.9 | 2.7.9 |
| maven/org.apache.cxf:cxf-rt-ws-security | <2.6.12 | 2.6.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://cxf.apache.org/security-advisories.data/CVE-2014-0034.txt.asc
- http://svn.apache.org/viewvc?view=revision&revision=1551228
- https://rhn.redhat.com/errata/RHSA-2014-0797.html
- https://rhn.redhat.com/errata/RHSA-2014-0798.html
- https://rhn.redhat.com/errata/RHSA-2014-0799.html
- https://rhn.redhat.com/errata/RHSA-2014-1351.html
- https://rhn.redhat.com/errata/RHSA-2015-0851.html
- https://rhn.redhat.com/errata/RHSA-2015-0850.html
- https://rhn.redhat.com/errata/RHSA-2015-1009.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1093529
- http://rhn.redhat.com/errata/RHSA-2014-0797.html
- http://rhn.redhat.com/errata/RHSA-2014-0798.html
- http://rhn.redhat.com/errata/RHSA-2014-0799.html
- http://rhn.redhat.com/errata/RHSA-2014-1351.html
- http://rhn.redhat.com/errata/RHSA-2015-0850.html
- http://rhn.redhat.com/errata/RHSA-2015-0851.html
- http://www.securityfocus.com/bid/68441
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2014-0034
- https://github.com/apache/cxf/commit/b4b9a010bb23059251400455afabddee15b46127
- https://github.com/advisories/GHSA-38x2-fp9m-87mx (Advisory)
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-38x2-fp9m-87mx
- alias/CVE-2014-0034
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/references
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/tags
- agent/trending
- vendor/apache
- canonical/apache cxf
- version/apache cxf/2.6.11
- version/apache cxf/2.6.0
- version/apache cxf/2.6.1
- version/apache cxf/2.6.2
- version/apache cxf/2.6.3
- version/apache cxf/2.6.4
- version/apache cxf/2.6.5
- version/apache cxf/2.6.6
- version/apache cxf/2.6.7
- version/apache cxf/2.6.8
- version/apache cxf/2.6.9
- version/apache cxf/2.6.10
- vendor/redhat
- canonical/redhat jboss enterprise application platform
- version/redhat jboss enterprise application platform/6.0.0
- version/redhat jboss enterprise application platform/6.2.0
- version/apache cxf/2.7.0
- version/apache cxf/2.7.1
- version/apache cxf/2.7.2
- version/apache cxf/2.7.3
- version/apache cxf/2.7.4
- version/apache cxf/2.7.5
- version/apache cxf/2.7.6
- version/apache cxf/2.7.7
- version/apache cxf/2.7.8
- package-manager/maven
- package-manager/redhat