CVE-2021-22696

Uncontrolled Resource Consumption in maven/org.apache.cxf/cxf

Identifiers

CVE-2021-22696

Package Slug

maven/org.apache.cxf/cxf

Vulnerability

Uncontrolled Resource Consumption

Description

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a request parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the request_uri parameter. CXF was not validating the request_uri parameter (apart from ensuring it uses https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section of the spec.

Affected Versions

All versions before 3.3.10, all versions starting from 3.4.0 before 3.4.3

Solution

Upgrade to versions 3.3.10, 3.4.3 or above.

Last Modified

2021-04-10

source