Apache CXFs STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Cxf | Apache | 3.0.0 (including) | 3.0.13 (excluding) |
Cxf | Apache | 3.1.0 (including) | 3.1.11 (excluding) |
Such a scenario is commonly observed when: