CVE-2021-22696: Uncontrolled Resource Consumption
(updated )
CXF supports (via JwtRequestCodeFilter
) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a request
parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the request_uri
parameter. CXF was not validating the request_uri
parameter (apart from ensuring it uses https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section of the spec.
References
Detect and mitigate CVE-2021-22696 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →