Описание
Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Web Server 1 | eap-5 | Not affected | ||
| Red Hat JBoss Portal 6 | cxf | Affected | ||
| Fuse ESB Enterprise 7.1.0 | Fixed | RHSA-2013:0649 | 14.03.2013 | |
| Red Hat JBoss Enterprise Application Platform 6.0 | Fixed | RHSA-2013:0645 | 13.03.2013 | |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-cxf | Fixed | RHSA-2013:0644 | 13.03.2013 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 | apache-cxf | Fixed | RHSA-2013:0644 | 13.03.2013 |
| Red Hat JBoss Portal 6.0 | Fixed | RHSA-2013:0749 | 16.04.2013 |
Показывать по
Дополнительная информация
Статус:
6.4 Medium
CVSS2
Связанные уязвимости
Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.
Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.
Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, w ...
6.4 Medium
CVSS2