CVE-2017-5656
Information Exposure vulnerability in cxf-core (Maven)
What is CVE-2017-5656 About?
Apache CXF's STSClient before versions 3.1.11 and 3.0.13 has a flaw in caching delegation tokens, which can lead to information exposure. An attacker can craft a token to retrieve identifiers for cached tokens belonging to other users. This vulnerability is moderately complex to exploit.
Affected Software
- org.apache.cxf:cxf-core
- >3.1.0, <3.1.11
- <3.0.13
Technical Details
The vulnerability exists in the STSClient component of Apache CXF, specifically in versions prior to 3.1.11 and 3.0.13. The STSClient employs a flawed mechanism for caching security tokens that are associated with delegation tokens. This flaw allows an attacker to construct a specially crafted token, which when presented to the STSClient, can be manipulated to return an identifier that corresponds to a cached token intended for a different, legitimate user. This effectively means an attacker can query or infer the existence/identifiers of other users' delegated tokens in the cache, leading to information exposure without directly accessing the tokens themselves.
What is the Impact of CVE-2017-5656?
Successful exploitation may allow attackers to gain access to sensitive information, infer system configurations, or aid in further attacks by revealing user-specific data.
What is the Exploitability of CVE-2017-5656?
Exploitation of this vulnerability would typically involve an attacker crafting a specific security token. The complexity is moderate, as it requires understanding the STSClient's token caching logic. Authentication to the system might be required to submit a token, though the vulnerability itself could allow bypassing delegation mechanisms. No specific elevated privileges are necessarily needed beyond being able to interact with the STSClient. This is most likely a remote exploit, given that STSClient handles security tokens over a network. The main prerequisite is an application using the vulnerable STSClient version and accepting tokens from external sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-5656?
About the Fix from Resolved Security
This patch introduces careful handling for issued SAML tokens, ensuring tokens marked with the "OneTimeUse" condition are not cached at the endpoint level, but only per message. It fixes CVE-2017-5656 by preventing the reuse of one-time-use security tokens, which could otherwise allow replay attacks or unauthorized access if they were cached and reused.
Available Upgrade Options
- org.apache.cxf:cxf-core
- <3.0.13 → Upgrade to 3.0.13
- org.apache.cxf:cxf-core
- >3.1.0, <3.1.11 → Upgrade to 3.1.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.securityfocus.com/bid/97971
- https://osv.dev/vulnerability/GHSA-v936-x3j5-c76j
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- http://www.securitytracker.com/id/1038282
- http://www.securitytracker.com/id/1038282
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2017-5656
- http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc?version=1&modificationDate=1492515113282&api=v2
What are Similar Vulnerabilities to CVE-2017-5656?
Similar Vulnerabilities: CVE-2021-44790 , CVE-2020-13953 , CVE-2019-12398 , CVE-2019-0224 , CVE-2017-15707
