{"id":"CVE-2017-5656","details":"Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.","aliases":["GHSA-v936-x3j5-c76j"],"modified":"2026-04-10T04:01:43.048430Z","published":"2017-04-18T16:59:00.197Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1038282"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/97971"},{"type":"REPORT","url":"https://access.redhat.com/errata/RHSA-2017:1832"},{"type":"REPORT","url":"https://access.redhat.com/errata/RHSA-2018:1694"},{"type":"FIX","url":"http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc?version=1&modificationDate=1492515113282&api=v2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/cxf","events":[{"introduced":"fd92c807e8773c363df37cfaf946971f5bac763b"},{"fixed":"e58227cd53c8e4526bb3a75b37e4afdb7add6ddf"},{"introduced":"a04a1e06f7fffc5f145e33c6832f31b04782516b"},{"fixed":"df51c99d9a708974a124052bb965494797c22e8c"}],"database_specific":{"versions":[{"introduced":"3.0.0"},{"fixed":"3.0.13"},{"introduced":"3.1.0"},{"fixed":"3.1.11"}]}}],"versions":["cxf-3.0.0","cxf-3.0.10","cxf-3.0.11","cxf-3.0.12","cxf-3.0.2","cxf-3.0.3","cxf-3.0.4","cxf-3.0.5","cxf-3.0.6","cxf-3.0.7","cxf-3.0.8","cxf-3.0.9","cxf-3.1.0","cxf-3.1.1","cxf-3.1.10","cxf-3.1.2","cxf-3.1.3","cxf-3.1.4","cxf-3.1.5","cxf-3.1.6","cxf-3.1.7","cxf-3.1.8","cxf-3.1.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5656.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}