返回 CVE 浏览器

CVE-2016-4464

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.2000%

EPSS Percentile33.88th

Published2016年9月21日

Last Modified2026年5月6日

Vulnerability Description

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.

Affected Platforms (CPE)

📦

Apache

Cxf Fediz

= 1.2.0

📦

Apache

Cxf Fediz

= 1.2.1

📦

Apache

Cxf Fediz

= 1.2.2

📦

Apache

Cxf Fediz

= 1.3.0

References & Advisories

🔗 http://cxf.apache.org/security-advisories.data/CVE-2016-4464.txt.asc

🔗 http://www.openwall.com/lists/oss-security/2016/09/08/20

🔗 http://www.securityfocus.com/bid/92905

🔗 http://www.securitytracker.com/id/1036869

🔗 https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git%3Ba=commit%3Bh=0006581e9cacbeef46381a223e5671e524d416b6

🔗 https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

🔗 https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

🔗 https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

相关漏洞威胁

CVE-2017-76618.8

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style R...

CVE-2017-76628.8

Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web applic...

CVE-2017-126318.8

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style R...

CVE-2015-51757.5

Application plugins in Apache CXF Fediz before 1.1.3 and 1.2.x before 1.2.1 allow remote attackers to cause a denial of service.