CVE-2017-7661: CSRF
First published: Tue May 16 2017(Updated: )
Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3, Jetty 8 and Jetty 9 plugins in Apache CXF Fediz prior to 1.4.0, 1.3.2 and 1.2.4.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache CXF Fediz | <=1.4.0 | |
| Apache CXF Fediz | =1.2.4 | |
| Apache CXF Fediz | =1.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://cxf.apache.org/security-advisories.data/CVE-2017-7661.txt.asc
- http://www.securitytracker.com/id/1038497
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2017-7661?
CVE-2017-7661 has been rated as a medium severity vulnerability due to its potential impact on CSRF attacks in specific plugins.
How do I fix CVE-2017-7661?
To fix CVE-2017-7661, upgrade Apache CXF Fediz to versions 1.4.0, 1.3.2, or 1.2.4 or later.
Which versions of Apache CXF Fediz are affected by CVE-2017-7661?
CVE-2017-7661 affects Apache CXF Fediz versions prior to 1.4.0, 1.3.2, and 1.2.4.
What types of plugins are affected by CVE-2017-7661?
The vulnerability exists in the Spring 2, Spring 3, Jetty 8, and Jetty 9 plugins of Apache CXF Fediz.
What kind of vulnerability is CVE-2017-7661?
CVE-2017-7661 is a Cross-Site Request Forgery (CSRF) style vulnerability.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/remedy
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- vendor/apache
- canonical/apache cxf fediz
- version/apache cxf fediz/1.4.0
- version/apache cxf fediz/1.2.4
- version/apache cxf fediz/1.3.2