CVE-2013-0239

CWE-287 — Improper Authentication8 documents6 sources

Severity

5.0MEDIUM

EPSS

2.7%

top 14.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF

Timeline

PublishedMar 12

Latest updateMay 5

Description

Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶Mavenorg.apache.cxf:cxf-rt-frontend-jaxrs2.6.0 — 2.6.6+2

▶NVDapache/cxf2.5.8+25

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

OSV

Improper Authentication in Apache CXF↗2022-05-05

▶

GHSA

Improper Authentication in Apache CXF↗2022-05-05

▶

CVEList

CVE-2013-0239: Apache CXF before 2↗2013-03-12

▶

📋Vendor Advisories

Red Hat

apache-cxf: UsernameTokenPolicyValidator and UsernameTokenInterceptor allow empty passwords to authenticate↗2013-02-08

▶

💬Community

Bugzilla

CVE-2012-5633 CVE-2013-0239 cxf various flaws [fedora-all]↗2013-02-08

▶

Bugzilla

CVE-2012-5633 CVE-2013-0239 jbossws-cxf various flaws [fedora-all]↗2013-02-08

▶

Bugzilla

CVE-2013-0239 jbossws-cxf, apache-cxf: UsernameTokenPolicyValidator and UsernameTokenInterceptor allow empty passwords to authenticate↗2013-01-30

▶