Strix
26.1K

CVE-2021-22696

HIGHCVSS 7.5/10EPSS 6.59%

Last modified

CVE-2021-22696 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. EPSS estimates a 6.59% chance of exploitation in the next 30 days.

Description

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
6.59%

93.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
ApacheCxf< 3.3.10
ApacheCxf>= 3.4.0, < 3.4.3
OracleBusiness Intelligence5.5.0.0.0
OracleBusiness Intelligence5.9.0.0.0
OracleBusiness Intelligence12.2.1.3.0
OracleBusiness Intelligence12.2.1.4.0
OracleCommunications Diameter Intelligence Hub>= 8.0.0, <= 8.1.0
OracleCommunications Diameter Intelligence Hub>= 8.2.0, <= 8.2.3
OracleCommunications Element Manager8.2.2
OracleCommunications Session Report Manager>= 8.0.0, <= 8.2.4.0
OracleCommunications Session Route Manager>= 8.0.0, <= 8.2.4

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-22696?
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.
How severe is CVE-2021-22696?
CVE-2021-22696 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 6.59% probability of exploitation in the next 30 days.
How do I fix CVE-2021-22696?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-22696?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST