CVE-2012-5575

Apache CXF <2.5.10-2.7.4 - RCE

Title source: llm

Description

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack."

Exploits (1)

nomisec STUB

by tafamace · poc

https://github.com/tafamace/CVE-2012-5575

View Code ZIP pw:eip

References (21)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0834.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0839.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0875.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-1028.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-1437.html

[Various Sources] http://cxf.apache.org/cve-2012-5575.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0833.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0873.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0874.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0876.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0943.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-1143.html

[Various Sources] http://www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=880443

[Mailing List] https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/60043

[Mailing List] https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

... and 1 more

Scores

EPSS 0.0950

EPSS Percentile 92.9%

Details

CWE

CWE-310

Status published

Products (27)

apache/cxf 2.5.0

apache/cxf 2.5.1

apache/cxf 2.5.2

apache/cxf 2.5.3

apache/cxf 2.5.4

apache/cxf 2.5.5

apache/cxf 2.5.6

apache/cxf 2.5.7

apache/cxf 2.5.8

apache/cxf 2.5.9

... and 17 more

Published Aug 19, 2013

Tracked Since Feb 18, 2026