Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-5633

Overview

Vulnerability Score 5.8 5.8
CVE Id CVE-2012-5633
Last Modified 04 Jun 2013 11:39:34
Published 12 Mar 2013 07:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2012-5633

Summary

The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to obtain access to SOAP services via an HTTP GET request.

Vulnerable Systems

Application

  • Apache Cxf 2.5.0

  • Apache Cxf 2.5.1

  • Apache Cxf 2.5.2

  • Apache Cxf 2.5.3

  • Apache Cxf 2.5.4

  • Apache Cxf 2.5.5

  • Apache Cxf 2.5.6

  • Apache Cxf 2.5.7

  • Apache Cxf 2.6.0

  • Apache Cxf 2.6.1

  • Apache Cxf 2.6.2

  • Apache Cxf 2.6.3

  • Apache Cxf 2.6.4

  • Apache Cxf 2.7.0

  • Apache Cxf 2.7.1


References

MISC - https://issues.jboss.org/browse/JBWS-3575

CONFIRM - https://issues.apache.org/jira/browse/CXF-4629

XF - apachecxf-wssecurity-security-bypass(81980)

BID - 57874

CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1420698

CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1409324

MISC - http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests

SECUNIA - 52183

SECUNIA - 51988

FULLDISC - 20130208 New security advisories for Apache CXF

REDHAT - RHSA-2013:0259

REDHAT - RHSA-2013:0258

REDHAT - RHSA-2013:0257

REDHAT - RHSA-2013:0256

MISC - http://packetstormsecurity.com/files/120213/Apache-CXF-WS-Security-URIMappingInterceptor-Bypass.html

OSVDB - 90079

CONFIRM - http://cxf.apache.org/cve-2012-5633.html

REDHAT - RHSA-2013:0743

REDHAT - RHSA-2013:0726

REDHAT - RHSA-2013:0749


Last Updated: 27 May 2016 11:02:06