Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-0239

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2013-0239
Last Modified 04 Jun 2013 11:40:37
Published 12 Mar 2013 07:55:01
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2013-0239

Summary

Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.

Vulnerable Systems

Application

  • Apache Cxf 2.4.0

  • Apache Cxf 2.4.1

  • Apache Cxf 2.4.2

  • Apache Cxf 2.4.3

  • Apache Cxf 2.4.4

  • Apache Cxf 2.4.5

  • Apache Cxf 2.4.6

  • Apache Cxf 2.4.7

  • Apache Cxf 2.5.0

  • Apache Cxf 2.5.1

  • Apache Cxf 2.5.2

  • Apache Cxf 2.5.3

  • Apache Cxf 2.5.4

  • Apache Cxf 2.5.5

  • Apache Cxf 2.5.6

  • Apache Cxf 2.5.7

  • Apache Cxf 2.5.8

  • Apache Cxf 2.6.0

  • Apache Cxf 2.6.1

  • Apache Cxf 2.6.2

  • Apache Cxf 2.6.3

  • Apache Cxf 2.6.4

  • Apache Cxf 2.6.5

  • Apache Cxf 2.7.0

  • Apache Cxf 2.7.1

  • Apache Cxf 2.7.2


References

XF - apachecxf-username-tokens-sec-bypass(81981)

BID - 57876

CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1438424

SECUNIA - 51988

FULLDISC - 20130208 New security advisories for Apache CXF

MISC - http://packetstormsecurity.com/files/120214/Apache-CXF-WS-Security-UsernameToken-Bypass.html

OSVDB - 90078

CONFIRM - http://cxf.apache.org/cve-2013-0239.html

REDHAT - RHSA-2013:0749


Last Updated: 27 May 2016 11:02:04