CVE-2012-2378

CWE-264 CWE-287 — Improper Authentication7 documents6 sources

Severity

4.3MEDIUM

EPSS

4.2%

top 11.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF

Timeline

PublishedJan 5

Latest updateMay 13

Description

Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶Mavenorg.apache.cxf:cxf2.4.5 — 2.4.8+2

▶NVDapache/cxf7 versions+6

🔴Vulnerability Details

OSV

Improper Authentication in Apache CXF↗2022-05-13

▶

GHSA

Improper Authentication in Apache CXF↗2022-05-13

▶

CVEList

CVE-2012-2378: Apache CXF 2↗2013-01-05

▶

📋Vendor Advisories

Red Hat

apache-cxf: Certain child policies of WS-SecurityPolicy 1.1 SupportingToken policy not applied on the client side↗2012-06-07

▶

💬Community

Bugzilla

CVE-2012-2378 jbossws-cxf, apache-cxf: Certain child policies of WS-SecurityPolicy 1.1 SupportingToken policy not applied on the client side [fedora-17]↗2012-08-07

▶

Bugzilla

CVE-2012-2378 jbossws-cxf, apache-cxf: Certain child policies of WS-SecurityPolicy 1.1 SupportingToken policy not applied on the client side↗2012-05-30

▶