CVE-2014-0035

CWE-310 CWE-319 — Cleartext Transmission CWE-522 — Insufficiently Protected Credentials7 documents6 sources

Severity

4.3MEDIUM

EPSS

1.0%

top 23.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF Redhat Jboss Enterprise Application Platform

Timeline

PublishedJul 7

Latest updateMay 13

Description

The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶Mavenorg.apache.cxf:cxf-core2.7.0 — 2.7.10+1

▶NVDapache/cxf2.6.12+22

▶NVDredhat/jboss_enterprise_application_platform6.0.0, 6.2.0+1

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

Cleartext Transmission of Sensitive Information in Apache CXF↗2022-05-13

▶

OSV

Cleartext Transmission of Sensitive Information in Apache CXF↗2022-05-13

▶

CVEList

CVE-2014-0035: The SymmetricBinding in Apache CXF before 2↗2014-07-07

▶

📋Vendor Advisories

Red Hat

CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy↗2014-05-01

▶

💬Community

Bugzilla

CVE-2014-0035 Apache CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy [fedora-all]↗2014-05-08

▶

Bugzilla

CVE-2014-0035 Apache CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy↗2014-05-02

▶