org.apache.cxf:cxf-rt-rs-security-jose@3.1.9 vulnerabilities
-
latest version
4.0.4
-
latest non vulnerable version
-
first published
10 years ago
-
latest version published
2 months ago
-
licenses detected
- [3.0.2,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.apache.cxf:cxf-rt-rs-security-jose package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
org.apache.cxf:cxf-rt-rs-security-jose is a services framework. Affected versions of this package are vulnerable to Information Exposure. Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter How to fix Information Exposure? Upgrade |
[,3.2.12)
[3.3.0,3.3.5)
|
org.apache.cxf:cxf-rt-rs-security-jose is a services framework. Affected versions of this package are vulnerable to Timing Attack because it does not use a constant time MAC signature comparison algorithm. How to fix Timing Attack? Upgrade |
[,3.0.13)
[3.1.0,3.1.10)
|