High severityNVD Advisory· Published Jul 5, 2018· Updated Sep 16, 2024
CVE-2018-8038
CVE-2018-8038
Description
Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf.fediz:fediz-springMaven | < 1.4.4 | 1.4.4 |
org.apache.cxf.fediz:fediz-spring2Maven | < 1.4.4 | 1.4.4 |
org.apache.cxf.fediz:fediz-spring3Maven | < 1.4.4 | 1.4.4 |
org.apache.cxf.fediz:fediz-jetty8Maven | < 1.4.4 | 1.4.4 |
org.apache.cxf.fediz:fediz-jetty9Maven | < 1.4.4 | 1.4.4 |
Affected products
6- ghsa-coords5 versionspkg:maven/org.apache.cxf.fediz/fediz-jetty8pkg:maven/org.apache.cxf.fediz/fediz-jetty9pkg:maven/org.apache.cxf.fediz/fediz-springpkg:maven/org.apache.cxf.fediz/fediz-spring2pkg:maven/org.apache.cxf.fediz/fediz-spring3
< 1.4.4+ 4 more
- (no CPE)range: < 1.4.4
- (no CPE)range: < 1.4.4
- (no CPE)range: < 1.4.4
- (no CPE)range: < 1.4.4
- (no CPE)range: < 1.4.4
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
19- github.com/advisories/GHSA-w3gh-g32m-cvhrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8038ghsaADVISORY
- cxf.apache.org/security-advisories.data/CVE-2018-8038.txt.ascghsax_refsource_CONFIRMWEB
- www.securitytracker.com/id/1041220ghsavdb-entryx_refsource_SECTRACKWEB
- github.com/apache/cxf-fediz/commit/b6ed9865d0614332fa419fe4b6d0fe81bc2e660dghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/f0a6a05ec3b3a00458da43712b0ff3a2f573175d9bfb39fb0de21424%40%3Cdev.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/f0a6a05ec3b3a00458da43712b0ff3a2f573175d9bfb39fb0de21424@%3Cdev.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.