CVE-2017-7662
Cross-Site Request Forgery in Apache CXF Fediz
8.8
HIGH
CVSS 3.1
EPSS 0.99%
描述
Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc. A CSRF (Cross Style Request Forgery) style vulnerability has been found in this web application in Apache CXF Fediz prior to 1.4.0 and 1.3.2, meaning that a malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active.
如何修補 CVE-2017-7662
要修補 CVE-2017-7662,請將受影響套件升級到下列已修補版本。
- —升級至 1.3.2 或更新版本
CVE-2017-7662 正在被利用嗎?
低 — EPSS 為 1.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.3.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
參考連結(10)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-7662
- WEBcxf.apache.org/security-advisories.data/CVE-2017-7662.txt.asc
- WEBgithub.com/apache/cxf-fediz/commit/c68e4820816c19241568f4a8fe8600bffb0243cd
- WEBlists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E