Описание
Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies.
Ссылки
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:apache:cxf:2.4.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:cxf:2.4.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:cxf:2.4.7:*:*:*:*:*:*:*
Конфигурация 2
Одно из
cpe:2.3:a:apache:cxf:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:cxf:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:cxf:2.5.3:*:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:a:apache:cxf:2.6.0:*:*:*:*:*:*:*
EPSS
Процентиль: 89%
0.04238
Низкий
4.3 Medium
CVSS2
Дефекты
CWE-264
Связанные уязвимости
redhat
больше 13 лет назад
Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies.
EPSS
Процентиль: 89%
0.04238
Низкий
4.3 Medium
CVSS2
Дефекты
CWE-264