Security restrictions bypass in Apache CXF Fediz - CVE-2016-4464
Published: September 23, 2016 / Updated: March 21, 2018
Vulnerability identifier: #VU648
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-4464
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache CXF Fediz
Apache CXF Fediz
Detailed vulnerability description
The vulnerability allows a remote authenticated user to bypass security restrictions on the target system.
The weakness is caused by improper access control. Improper evaluation of the AudienceRestriction values of received SAML tokens allows attackers to gain access to different services on the target system.
Successful exploitation of the vulnerability results in access to the services on the vulnerable system.
The weakness is caused by improper access control. Improper evaluation of the AudienceRestriction values of received SAML tokens allows attackers to gain access to different services on the target system.
Successful exploitation of the vulnerability results in access to the services on the vulnerable system.
How to mitigate CVE-2016-4464
Update to 1.2.3 or 1.3.1.