CVE-2017-7661

Description

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3, Jetty 8 and Jetty 9 plugins in Apache CXF Fediz prior to 1.4.0, 1.3.2 and 1.2.4.

How to fix CVE-2017-7661

To remediate CVE-2017-7661, upgrade the affected package to a fixed version below.

• Maven/org.apache.cxf.fediz:fediz-jetty8—upgrade to 1.3.2 or later
• —upgrade to 1.3.2 or later
• —upgrade to 1.3.2 or later

Is CVE-2017-7661 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 1.3.2
• from 0, < 1.3.2
• >= 1.3.0, < 1.3.2

References (10)

• ADVISORYgithub.com/advisories/GHSA-whw7-h25v-9qvx
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-7661
• WEBcxf.apache.org/security-advisories.data/CVE-2017-7661.txt.asc
• WEBlists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E