CVE-2021-22696: Uncontrolled Resource Consumption

April 2, 2021 (updated November 7, 2023)

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a request parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the request_uri parameter. CXF was not validating the request_uri parameter (apart from ensuring it uses https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section of the spec.

References

Detect and mitigate CVE-2021-22696 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →