CVE-2012-2378

Published Jan 5, 2013

Last updated 3 months ago

CVSS info 4.3

Overview

Description: Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies.
Source: secalert@redhat.com
NVD status: Modified

Risk scores

CVSS 2.0

Type: Primary
Base score: 4.3
Impact score: 2.9
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:P/I:N/A:N

Weaknesses

nvd@nist.gov: CWE-264

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:cxf:2.4.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AD8E746D-8FEF-47AB-97DC-8A0C1743F7D5"
          },
          {
            "criteria": "cpe:2.3:a:apache:cxf:2.4.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6BFB2300-841A-4D92-96C7-D58E15F67D8E"
          },
          {
            "criteria": "cpe:2.3:a:apache:cxf:2.4.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B6468310-155B-4582-9DA8-90C6B99E02BF"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:cxf:2.5.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6915B2EC-AA31-44B5-A5F3-3EE1FDD0ABC7"
          },
          {
            "criteria": "cpe:2.3:a:apache:cxf:2.5.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "90280778-F7D6-49E2-9C7F-9F5F58137FDE"
          },
          {
            "criteria": "cpe:2.3:a:apache:cxf:2.5.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "962F2A85-4731-450B-986B-E1A79986F143"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:cxf:2.6.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A4FC7D67-80A3-43F6-8D46-F13F37A017CF"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 2.0

Weaknesses

Social media

Configurations

References