CVE-2018-8038

HIGH

Apache CXF Fediz <1.4.4 - Info Disclosure

Title source: llm

Description

Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.

Exploits (1)

nomisec STUB

by tafamace · poc

https://github.com/tafamace/CVE-2018-8038

View Code ZIP pw:eip

References (10)

[Vendor Advisory] http://cxf.apache.org/security-advisories.data/CVE-2018-8038.txt.asc

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1041220

[Patch, Third Party Advisory] https://github.com/apache/cxf-fediz/commit/b6ed9865d0614332fa419fe4b6d0fe81bc2e660d

[Mailing List] https://lists.apache.org/thread.html/f0a6a05ec3b3a00458da43712b0ff3a2f573175d9bfb39fb0de21424%40%3Cdev.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

Scores

CVSS v3 7.5

EPSS 0.5043

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-20

Status published

Products (6)

apache/cxf_fediz < 1.4.4

org.apache.cxf.fediz/fediz-jetty8 0 - 1.4.4Maven

org.apache.cxf.fediz/fediz-jetty9 0 - 1.4.4Maven

org.apache.cxf.fediz/fediz-spring 0 - 1.4.4Maven

org.apache.cxf.fediz/fediz-spring2 0 - 1.4.4Maven

org.apache.cxf.fediz/fediz-spring3 0 - 1.4.4Maven

Published Jul 05, 2018

Tracked Since Feb 18, 2026