Apache CXF CVE-2017-5656 Information Disclosure Vulnerability

Apache CXF is prone to an information-disclosure vulnerability.

Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.

The following versions are affected:

Apache CXF 3.0.x prior to 3.0.13
Apache CXF 3.1.x prior to 3.1.11

Information

Bugtraq ID: 97971
Class: Design Error
CVE: CVE-2017-5656

Remote: Yes
Local: No
Published: Apr 18 2017 12:00AM
Updated: Apr 18 2017 12:00AM
Credit: The vendor reported this issue.
Vulnerable: Apache Cxf 3.1.8
Apache Cxf 3.1.7
Apache Cxf 3.1.3
Apache Cxf 3.1.2
Apache Cxf 3.1.1
Apache Cxf 3.1
Apache Cxf 3.0.11
Apache Cxf 3.0.10
Apache Cxf 3.0.7
Apache Cxf 3.0.6
Apache Cxf 3.0.5
Apache Cxf 3.0.4
Apache Cxf 3.0.3
Apache Cxf 3.0.2
Apache Cxf 3.0.1

Not Vulnerable: Apache Cxf 3.1.11

Exploit

Attackers can exploit this issue using a browser or readily available tools.

References:

• Apache CXF Homepage (Apache Software Foundation)
  
• Apache Homepage (Apache)
  
• Refactor how we extract "IDs" from delegation tokens when used for caching (Apache)
  
• CVE-2017-5656: Apache CXF's STSClient uses a flawed way of caching tokens (Apache)
  

Source: www.securityfocus.com