org.apache.cxf:cxf-rt-rs-security-oauth2 4.1.6

Direct Vulnerabilities

Known vulnerabilities in the org.apache.cxf:cxf-rt-rs-security-oauth2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Time-of-check Time-of-use (TOCTOU) Race Condition org.apache.cxf:cxf-rt-rs-security-oauth2 is a services framework. Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to a race condition in the `AbstractOAuthDataProvider` method when handling refresh tokens if the `recycleRefreshTokens` setting is set to false. An attacker can obtain multiple valid access tokens by concurrently replaying a leaked refresh token. How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `org.apache.cxf:cxf-rt-rs-security-oauth2` to version 4.1.7, 4.2.2 or higher.	[,4.1.7)[4.2.0,4.2.2)
M HTTP Response Splitting org.apache.cxf:cxf-rt-rs-security-oauth2 is a services framework. Affected versions of this package are vulnerable to HTTP Response Splitting via improper handling of the `realm` parameter in the construction of the WWW-Authenticate response header. An attacker can inject arbitrary HTTP headers or split the HTTP response by supplying specially crafted input containing Carriage Return (CR) and Line Feed (LF) characters. How to fix HTTP Response Splitting? Upgrade `org.apache.cxf:cxf-rt-rs-security-oauth2` to version 4.1.7, 4.2.2 or higher.	[,4.1.7)[4.2.0,4.2.2)
H Authentication Bypass by Alternate Name org.apache.cxf:cxf-rt-rs-security-oauth2 is a services framework. Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name via the `JwtAccessTokenValidator` class. An attacker can gain unauthorized access to protected resources by replaying a JWT access token intended for one resource server against a different resource server. How to fix Authentication Bypass by Alternate Name? Upgrade `org.apache.cxf:cxf-rt-rs-security-oauth2` to version 4.1.7, 4.2.2 or higher.	[,4.1.7)[4.2.0,4.2.2)
M Missing Authentication for Critical Function org.apache.cxf:cxf-rt-rs-security-oauth2 is a services framework. Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to a missing 'throw' keyword in the security context check within the `TokenIntrospectionService` method. An attacker can gain unauthorized access to the `/services/oauth2/introspect` endpoint by sending unauthenticated network requests. This is only exploitable if authentication has not been enabled on the service. How to fix Missing Authentication for Critical Function? Upgrade `org.apache.cxf:cxf-rt-rs-security-oauth2` to version 4.1.7, 4.2.2 or higher.	[,4.1.7)[4.2.0,4.2.2)
M CRLF Injection org.apache.cxf:cxf-rt-rs-security-oauth2 is a services framework. Affected versions of this package are vulnerable to CRLF Injection via the `clientId` parameter, which is directly concatenated into server log warning messages without sanitizing control characters. An attacker can manipulate log files by injecting arbitrary content, including fake log entries, through specially crafted HTTP requests. How to fix CRLF Injection? Upgrade `org.apache.cxf:cxf-rt-rs-security-oauth2` to version 4.1.7, 4.2.2 or higher.	[,4.1.7)[4.2.0,4.2.2)
H Improperly Implemented Security Check for Standard org.apache.cxf:cxf-rt-rs-security-oauth2 is a services framework. Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to a logic error in the `OAuthRequestFilter` request handler. An attacker can bypass intended IP address restrictions by sending requests from unauthorized IP addresses, as the security control incorrectly allows such requests while rejecting legitimate ones from the bound IP address. How to fix Improperly Implemented Security Check for Standard? Upgrade `org.apache.cxf:cxf-rt-rs-security-oauth2` to version 4.1.7, 4.2.2 or higher.	[,4.1.7)[4.2.0,4.2.2)

Vulnerability

Vulnerable Version

Time-of-check Time-of-use (TOCTOU) Race Condition

org.apache.cxf:cxf-rt-rs-security-oauth2 is a services framework.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to a race condition in the AbstractOAuthDataProvider method when handling refresh tokens if the recycleRefreshTokens setting is set to false. An attacker can obtain multiple valid access tokens by concurrently replaying a leaked refresh token.

How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?