CVE-2017-5653

CWE-295Improper Certificate Validation8 documents6 sources
Severity
5.3MEDIUM
EPSS
3.2%
top 13.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache CXFApache Software Foundation Apache CXF
Timeline
PublishedApr 18
Latest updateMay 13

Description

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

Mavenorg.apache.cxf:cxf-core3.1.03.1.11+1
NVDapache/cxf3.0.03.0.13+1
CVEListV5apache_software_foundation/apache_cxf3.1.x prior to 3.1.11, prior to 3.0.13+1

Patches

Patch: cxf.apache.orgPatch: cxf.apache.org

🔴Vulnerability Details

3
OSV
Improper Certificate Validation in Apache CXF2022-05-13
GHSA
Improper Certificate Validation in Apache CXF2022-05-13
CVEList
CVE-2017-5653: JAX-RS XML Security streaming clients in Apache CXF before 32017-04-18

📋Vendor Advisories

1
Red Hat
cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted2017-03-27

💬Community

3
Bugzilla
CVE-2017-5653 CVE-2017-5656 cxf: various flaws [fedora-all]2017-04-25
Bugzilla
CVE-2017-5653 cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted2017-04-25
Bugzilla
CVE-2013-5653 ghostscript: getenv and filenameforall ignore -dSAFER2016-09-29
CVE-2017-5653 (MEDIUM CVSS 5.3) | JAX-RS XML Security streaming clien | cvebase.io