Lucene search

GitHub Advisory DatabaseGHSA-7V5V-9V8R-W864

HistoryMay 13, 2022 - 1:09 a.m.

Inadequate Encryption Strength in Apache CXF

2022-05-1301:09:21

CWE-326

GitHub Advisory Database

github.com

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

64.8%

JSON

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka “XML Encryption backwards compatibility attack.”

Affected configurations

Vulners

Node

org.apache.cxf\Matchcxf-rt-management

CPENameOperatorVersion
org.apache.cxf:cxf-rt-transports-httplt2.7.4
org.apache.cxf:cxf-rt-transports-httplt2.6.7
org.apache.cxf:cxf-rt-transports-httplt2.5.10

Name	Operator	Version
org.apache.cxf:cxf-rt-transports-http	lt	2.7.4
org.apache.cxf:cxf-rt-transports-http	lt	2.6.7
org.apache.cxf:cxf-rt-transports-http	lt	2.5.10

References

cxf.apache.org/cve-2012-5575.html

rhn.redhat.com/errata/RHSA-2013-0833.html

rhn.redhat.com/errata/RHSA-2013-0834.html

rhn.redhat.com/errata/RHSA-2013-0839.html

rhn.redhat.com/errata/RHSA-2013-0873.html

rhn.redhat.com/errata/RHSA-2013-0874.html

rhn.redhat.com/errata/RHSA-2013-0875.html

rhn.redhat.com/errata/RHSA-2013-0876.html

rhn.redhat.com/errata/RHSA-2013-0943.html

rhn.redhat.com/errata/RHSA-2013-1028.html

rhn.redhat.com/errata/RHSA-2013-1143.html

rhn.redhat.com/errata/RHSA-2013-1437.html

www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/

www.securityfocus.com/bid/60043

bugzilla.redhat.com/show_bug.cgi?id=880443

github.com/advisories/GHSA-7v5v-9v8r-w864

lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2012-5575

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

64.8%

JSON

Related for GHSA-7V5V-9V8R-W864