CVE-2012-2378

Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies.

Published Bysecalert@redhat.com

Published DateJan 05, 2013, 00:55

Affected Versions(3)

org.apache.cxf:cxf(Maven)

Introduced2.4.5

Fixed2.4.8

LimitN/A

org.apache.cxf:cxf(Maven)

Introduced2.5.1

Fixed2.5.3

LimitN/A

org.apache.cxf:cxf(Maven)

Introduced2.6.0

Fixed2.6.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.cxf:cxf(Maven)	2.4.5	2.4.8	N/A
org.apache.cxf:cxf(Maven)	2.5.1	2.5.3	N/A
org.apache.cxf:cxf(Maven)	2.6.0	2.6.1	N/A

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

4.3

Vector String

AV:N/AC:M/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE

References

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

4.3

Vector String

AV:N/AC:M/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE