CVE-2012-2379

7 documents6 sources
Severity
10.0CRITICAL
EPSS
3.8%
top 11.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache CXF
Timeline
PublishedJan 3
Latest updateMay 13

Description

Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element is signed or encrypted, which has unspecified impact and attack vectors.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages2 packages

Mavenorg.apache.cxf:cxf2.4.02.4.8+2
NVDapache/cxf13 versions+12

Patches

Patch: cxf.apache.orgPatch: cxf.apache.org

🔴Vulnerability Details

3
OSV
XML Signature/Encryption Not Validated in Apache CXF2022-05-13
GHSA
XML Signature/Encryption Not Validated in Apache CXF2022-05-13
CVEList
CVE-2012-2379: Apache CXF 22013-01-03

📋Vendor Advisories

1
Red Hat
apache-cxf: Apache CXF does not verify that elements were signed / encrypted by a particular Supporting Token2012-06-07

💬Community

2
Bugzilla
CVE-2012-2379 jbossws-cxf, apache-cxf: Apache CXF does not verify that elements were signed / encrypted by a particular Supporting Token [fedora-17]2012-08-07
Bugzilla
CVE-2012-2379 jbossws-cxf, apache-cxf: Apache CXF does not verify that elements were signed / encrypted by a particular Supporting Token2012-05-30
CVE-2012-2379 (CRITICAL CVSS 10) | Apache CXF 2.4.x before 2.4.8 | cvebase.io