CVE-2012-5575

CWE-310 CWE-326 CWE-327 — Broken Cryptographic Algorithm6 documents6 sources

Severity

6.4MEDIUM

EPSS

9.5%

top 7.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF Redhat Jboss Enterprise Application Platform Redhat Jboss Enterprise Portal Platform +3 more

Timeline

PublishedAug 19

Latest updateMay 13

Description

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack."

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages7 packages

▶Mavenorg.apache.cxf:cxf-rt-transports-http2.5.0 — 2.5.10+2

▶NVDapache/cxf21 versions+20

▶NVDredhat/jboss_fuse_esb_enterprise7.1.0

▶NVDredhat/jboss_enterprise_soa_platform4.3.0

▶NVDredhat/jboss_enterprise_web_platform5.2.0

🔴Vulnerability Details

GHSA

Inadequate Encryption Strength in Apache CXF↗2022-05-13

▶

OSV

Inadequate Encryption Strength in Apache CXF↗2022-05-13

▶

CVEList

CVE-2012-5575: Apache CXF 2↗2013-08-19

▶

📋Vendor Advisories

Red Hat

apache-cxf: XML encryption backwards compatibility attacks↗2013-03-08

▶

💬Community

Bugzilla

CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwards compatibility attacks↗2012-11-27

▶