RHSA-2022%3A7273
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | JWS 5.7.0 |
Timeline
- Nov 2, 2022 CVE Published
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 14, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2022:7273 advisory
- https://access.redhat.com/security/updates/classification/#moderate advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1946341 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=1973392 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2047417 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_7273.json advisory
- https://access.redhat.com/security/cve/CVE-2021-22696 advisory
- https://www.cve.org/CVERecord?id=CVE-2021-22696 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2021-22696 advisory
- https://cxf.apache.org/security-advisories.data/CVE-2021-22696.txt.asc advisory
- https://access.redhat.com/security/cve/CVE-2021-30468 advisory
- https://www.cve.org/CVERecord?id=CVE-2021-30468 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2021-30468 advisory
- http://cxf.apache.org/security-advisories.data/CVE-2021-30468.txt.asc?version=1&modificationDate=1623835369690&api=v2 advisory
- https://access.redhat.com/security/cve/CVE-2021-43980 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2130599 issue
- https://www.cve.org/CVERecord?id=CVE-2021-43980 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2021-43980 advisory
- https://access.redhat.com/security/cve/CVE-2022-23181 advisory
- https://www.cve.org/CVERecord?id=CVE-2022-23181 advisory
…and 2 more