CVE-2012-2378

Improper Authentication in Apache CXF in maven/org.apache.cxf/cxf

Identifiers

GHSA-vjpc-vf4f-82qg, CVE-2012-2378

Package Slug

maven/org.apache.cxf/cxf

Vulnerability

Improper Authentication in Apache CXF

Description

Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies.

Affected Versions

All versions starting from 2.4.5 before 2.4.8, all versions starting from 2.5.1 before 2.5.3, all versions starting from 2.6.0 before 2.6.1

Solution

Upgrade to versions 2.4.8, 2.5.3, 2.6.1 or above.

Last Modified

2022-07-24

source