CVE-2018-8038

HIGH

Apache CXF Fediz <1.4.4 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-8038. PoCs published by tafamace.

AI-analyzed exploit summary The provided code is a simple Java stub that prints command-line arguments and does not demonstrate any exploit functionality for CVE-2018-8038. It lacks any offensive techniques or vulnerability exploitation logic.

Description

Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.

Exploits (1)

nomisec STUB
by tafamace · poc
https://github.com/tafamace/CVE-2018-8038

The provided code is a simple Java stub that prints command-line arguments and does not demonstrate any exploit functionality for CVE-2018-8038. It lacks any offensive techniques or vulnerability exploitation logic.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Unknown (no exploit logic present)
No auth needed
Prerequisites: None (no exploit logic present)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041220

Scores

CVSS v3 7.5
EPSS 0.5043
EPSS Percentile 97.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-20
Status published
Products (6)
apache/cxf_fediz < 1.4.4
org.apache.cxf.fediz/fediz-jetty8 0 - 1.4.4Maven
org.apache.cxf.fediz/fediz-jetty9 0 - 1.4.4Maven
org.apache.cxf.fediz/fediz-spring 0 - 1.4.4Maven
org.apache.cxf.fediz/fediz-spring2 0 - 1.4.4Maven
org.apache.cxf.fediz/fediz-spring3 0 - 1.4.4Maven
Published Jul 05, 2018
Tracked Since Feb 18, 2026