Lucene search

Veracode Vulnerability DatabaseVERACODE:10918

HistoryJan 15, 2019 - 8:54 a.m.

XML Encryption Backwards Compatibility Attack

2019-01-1508:54:06

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.002 Low

EPSS

Percentile

64.8%

JSON

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka XML Encryption backwards compatibility attack.

CPENameOperatorVersion
apache-cxfeq2.2.12__4.patch_02.1.1.ep5.el5
apache-cxfeq2.4.6__9.redhat_1.ep6.el5
apache-cxfeq2.2.12__10.patch_06.ep5.el5
apache-cxfeq2.2.12__6.1.patch_04.ep5.el6
apache-cxfeq2.4.9__4.redhat_2.ep6.el6
apache-cxfeq2.2.12__6.1.patch_04.ep5.el5
apache-cxfeq2.2.12__4.patch_02.1.1.ep5.el4
apache-cxfeq2.4.9__6.redhat_3.ep6.el5
apache-cxfeq2.4.9__6.redhat_3.ep6.el6
apache-cxfeq2.2.12__6.1.patch_04.ep5.el4

Name	Operator	Version
apache-cxf	eq	2.2.12__4.patch_02.1.1.ep5.el5
apache-cxf	eq	2.4.6__9.redhat_1.ep6.el5
apache-cxf	eq	2.2.12__10.patch_06.ep5.el5
apache-cxf	eq	2.2.12__6.1.patch_04.ep5.el6
apache-cxf	eq	2.4.9__4.redhat_2.ep6.el6
apache-cxf	eq	2.2.12__6.1.patch_04.ep5.el5
apache-cxf	eq	2.2.12__4.patch_02.1.1.ep5.el4
apache-cxf	eq	2.4.9__6.redhat_3.ep6.el5
apache-cxf	eq	2.4.9__6.redhat_3.ep6.el6
apache-cxf	eq	2.2.12__6.1.patch_04.ep5.el4

Rows per page:

1-10 of 16001

References

cxf.apache.org/cve-2012-5575.html

rhn.redhat.com/errata/RHSA-2013-0833.html

rhn.redhat.com/errata/RHSA-2013-0834.html

rhn.redhat.com/errata/RHSA-2013-0839.html

rhn.redhat.com/errata/RHSA-2013-0873.html

rhn.redhat.com/errata/RHSA-2013-0874.html

rhn.redhat.com/errata/RHSA-2013-0875.html

rhn.redhat.com/errata/RHSA-2013-0876.html

rhn.redhat.com/errata/RHSA-2013-0943.html

rhn.redhat.com/errata/RHSA-2013-1028.html

rhn.redhat.com/errata/RHSA-2013-1143.html

rhn.redhat.com/errata/RHSA-2013-1437.html

ws.apache.org/wss4j/best_practice.html

www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/

www.securityfocus.com/bid/60043

access.redhat.com/security/updates/classification/#important

bugzilla.redhat.com/show_bug.cgi?id=880443

lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E