CVE-2016-4464: Improper Access Control

October 18, 2018 (updated June 17, 2021)

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.

References

github.com/advisories/GHSA-qpwj-mvv7-v3m9
nvd.nist.gov/vuln/detail/CVE-2016-4464

Detect and mitigate CVE-2016-4464 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →