VYPR
High severity7.5NVD Advisory· Published Aug 10, 2017· Updated Jun 17, 2026

CVE-2017-3156

CVE-2017-3156

Description

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.cxf.karaf:apache-cxfMaven
< 3.0.133.0.13
org.apache.cxf.karaf:apache-cxfMaven
>= 3.1.0, < 3.1.103.1.10

Affected products

13
  • Apache/Cxf11 versions
    cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*+ 10 more
    • cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*range: <=3.0.12
    • cpe:2.3:a:apache:cxf:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:cxf:3.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:cxf:3.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:cxf:3.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:cxf:3.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:cxf:3.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:cxf:3.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:cxf:3.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:cxf:3.1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:cxf:3.1.9:*:*:*:*:*:*:*
  • Apache/Apachecpe-rescue
    Range: prior to 3.0.13

Patches

Vulnerability mechanics

References

19

News mentions

0

No linked articles in our index yet.