A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
A logic error (CWE-20 — improper input validation) occurs in the OAuthRequestFilter module of Apache CXF, which reverses the operation of the IP address verification mechanism. The filter is designed to restrict access only to the associated IP address, but due to the error, it rejects requests from that exact address, while requests from any other IP address are accepted without restrictions. A remote, unauthenticated attacker can fully bypass IP address-based access control.
An attacker without any authentication can gain unauthorized access to resources protected by the IP filtering mechanism, leading to violations of confidentiality, integrity, and availability of data and services.
Apache CXF should be updated to version 4.2.2 or 4.1.7, which contain a fix for this error. Until updating, it is recommended to disable IP filtering based on OAuthRequestFilter or implement external access control mechanisms (e.g., at the firewall or reverse proxy level).
Apache CXF in versions prior to 4.2.2 and 4.1.7, in configurations with OAuthRequestFilter enabled with IP address verification
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Cxf
APPApache< 4.1.74.2.0 – 4.2.2 (bez)
Related vulnerabilities
Apache CXF: podatność XXE w EndpointReferenceUtils i W3CMultiSchemaFactory
Apache CXF: brak weryfikacji pola 'aud' w tokenach JWT (Token Confusion)
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow ...
Apache CXF: RCE przez złośliwe URL w konfiguracji JMS
SSRF w opisie usług WADL w Apache CXF