CVE-2016-4464 — High severity vulnerability that affects org.apache.cxf.fediz:fediz-spring and o

Description

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.

How to fix CVE-2016-4464

To remediate CVE-2016-4464, upgrade the affected package to a fixed version below.

Maven/org.apache.cxf.fediz:fediz-spring—upgrade to 1.2.3 or later
—upgrade to 1.2.3 or later

Is CVE-2016-4464 being exploited?

Low — EPSS is 2.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 1.2.0, < 1.2.3
>= 1.2.0, < 1.2.3

References (13)

ADVISORYgithub.com/advisories/GHSA-qpwj-mvv7-v3m9
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-4464
WEBcxf.apache.org/security-advisories.data/CVE-2016-4464.txt.asc
WEBgit-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=commit;h=0006581e9cacbeef46381a223e5671e524d416b6