CVE-2012-5633

The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to obtain access to SOAP services via an HTTP GET request.

Published Bysecalert@redhat.com

Published DateMar 12, 2013, 23:55

Affected Versions(3)

org.apache.cxf:cxf(Maven)

Introduced0

Fixed2.5.8

LimitN/A

org.apache.cxf:cxf(Maven)

Introduced2.6.0

Fixed2.6.5

LimitN/A

org.apache.cxf:cxf(Maven)

Introduced2.7.0

Fixed2.7.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.cxf:cxf(Maven)	0	2.5.8	N/A
org.apache.cxf:cxf(Maven)	2.6.0	2.6.5	N/A
org.apache.cxf:cxf(Maven)	2.7.0	2.7.2	N/A

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

5.8

Vector String

AV:N/AC:M/Au:N/C:P/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

NONE

References

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

5.8

Vector String

AV:N/AC:M/Au:N/C:P/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

NONE