CVE-2021-22696

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

Published: Apr 2, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-22696
GHSA: GHSA-7q4h-pj78-j7vg
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

Affected Software
References

Software	From	Fixed in
apache / cxf	3.4.0	3.4.3
apache / cxf	-	3.3.10
oracle / business_intelligence	12.2.1.3.0	12.2.1.3.0.x
oracle / business_intelligence	12.2.1.4.0	12.2.1.4.0.x
oracle / business_intelligence	5.5.0.0.0	5.5.0.0.0.x
oracle / communications_session_route_manager	8.0.0	8.2.4.x
oracle / communications_session_report_manager	8.0.0	8.2.4.0.x
oracle / business_intelligence	5.9.0.0.0	5.9.0.0.0.x
oracle / communications_element_manager	8.2.2	8.2.2.x
oracle / communications_diameter_intelligence_hub	8.0.0	8.1.0.x
oracle / communications_diameter_intelligence_hub	8.2.0	8.2.3.x
org.apache.cxf / cxf	3.4.0	3.4.3
org.apache.cxf / cxf	-	3.3.10
org.apache.cxf / apache-cxf	3.4.0	3.4.3
org.apache.cxf / apache-cxf	-	3.3.10

Vulnerability Database

289,599

CVE-2021-22696