CVE-2018-8038 — High severity vulnerability that affects org.apache.cxf.fediz:fediz-jetty8, org.

Description

Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.

How to fix CVE-2018-8038

To remediate CVE-2018-8038, upgrade the affected package to a fixed version below.

Maven/org.apache.cxf.fediz:fediz-jetty8—upgrade to 1.4.4 or later
—upgrade to 1.4.4 or later
—upgrade to 1.4.4 or later
—upgrade to 1.4.4 or later
—upgrade to 1.4.4 or later

Is CVE-2018-8038 being exploited?

Likely — EPSS is 50.4%, placing CVE-2018-8038 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (5)

from 0, < 1.4.4
from 0, < 1.4.4
from 0, < 1.4.4
from 0, < 1.4.4
from 0, < 1.4.4

References (12)

ADVISORYgithub.com/advisories/GHSA-w3gh-g32m-cvhr
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-8038
WEBcxf.apache.org/security-advisories.data/CVE-2018-8038.txt.asc
WEBgithub.com/apache/cxf-fediz/commit/b6ed9865d0614332fa419fe4b6d0fe81bc2e660d