Skip to content

Improper Authentication in Apache CXF

Moderate severity GitHub Reviewed Published May 5, 2022 to the GitHub Advisory Database • Updated Dec 21, 2023

Package

maven org.apache.cxf:cxf-rt-frontend-jaxrs (Maven)

Affected versions

< 2.5.9
>= 2.6.0, < 2.6.6
>= 2.7.0, < 2.7.3

Patched versions

2.5.9
2.6.6
2.7.3

Description

Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.

References

Published by the National Vulnerability Database Mar 12, 2013
Published to the GitHub Advisory Database May 5, 2022
Reviewed Jul 8, 2022
Last updated Dec 21, 2023

Severity

Moderate

EPSS score

0.313%
(70th percentile)

Weaknesses

CVE ID

CVE-2013-0239

GHSA ID

GHSA-p5c5-6564-vvr8

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.