CVE-2012-2378

Apache CXF 2.4.5-2.4.7 2.5.1-2.5.3 < 2.6.1 - Security Policy Bypass via WS-SecurityPolicy SupportingToken

Title source: llm
STIX 2.1

Description

Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies.

References (13)

Core 13
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1594.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1592.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1591.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51607
Vendor Advisory x_refsource_confirm
http://cxf.apache.org/cve-2012-2378.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/53880

Scores

EPSS 0.0393
EPSS Percentile 89.2%

Details

CWE
CWE-264
Status published
Products (8)
apache/cxf 2.4.5
apache/cxf 2.4.6
apache/cxf 2.4.7
apache/cxf 2.5.1
apache/cxf 2.5.2
apache/cxf 2.5.3
apache/cxf 2.6.0
org.apache.cxf/cxf 2.4.5 - 2.4.8Maven
Published Jan 05, 2013
Tracked Since Feb 18, 2026