Apache Tomee version 8.0.6 contains vulnerable version of cxf libraries (I.e. cxf-core-3.3.8.jar).
See Apache CXF - CVE-2021-22696 for more details.
Vulnerability Published: 2021-04-02 06:15 EDT
Vulnerability Updated: 2021-04-02 14:15 EDT
CVSS Score: (under review, not scored yet - updates will be reported in issue comments)
Summary: CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.
Affected Component(s): Apache CXF
Vulnerability Published: 2021-04-02 11:35 EDT
Vulnerability Updated: 2021-04-02 11:35 EDT
CVSS Score: 6.5 (overall), 7.5 (base)
Summary: Apache CXF is vulnerable to distributed denial-of-service (DDoS) via passing OAuth 2 parameters via a JWT token. An attacker could exploit this in order to cause the authorization server to crash.
The latest stable releases are available here.