CVE-2018-8038: Improper Input Validation

October 18, 2018 (updated June 17, 2021)

Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.

References

github.com/advisories/GHSA-w3gh-g32m-cvhr
github.com/apache/cxf-fediz/commit/b6ed9865d0614332fa419fe4b6d0fe81bc2e660d
nvd.nist.gov/vuln/detail/CVE-2018-8038

Detect and mitigate CVE-2018-8038 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →