CVE-2012-5633

Apache CXF <2.5.8, <2.6.5, <2.7.2 - Auth Bypass

Title source: llm

Description

The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to obtain access to SOAP services via an HTTP GET request.

References (26)

[Patch] http://svn.apache.org/viewvc?view=revision&revision=1409324

[Patch] http://svn.apache.org/viewvc?view=revision&revision=1420698

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0256.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0257.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0258.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0259.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0726.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0743.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0749.html

[Vendor Advisory] http://cxf.apache.org/cve-2012-5633.html

[Third Party Advisory, VDB Entry] http://osvdb.org/90079

[Vendor Advisory] http://secunia.com/advisories/51988

[Vendor Advisory] http://secunia.com/advisories/52183

[Various Sources] http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/81980

[Various Sources] https://issues.apache.org/jira/browse/CXF-4629

[Various Sources] https://issues.jboss.org/browse/JBWS-3575

[Mailing List] https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/57874

... and 6 more

Scores

EPSS 0.0179

EPSS Percentile 82.5%

Classification

CWE

CWE-287

Status draft

Affected Products (16)

apache/cxf < 2.5.7

apache/cxf

apache/cxf

apache/cxf

apache/cxf

apache/cxf

apache/cxf

apache/cxf

apache/cxf

apache/cxf

apache/cxf

apache/cxf

apache/cxf

apache/cxf

apache/cxf

... and 1 more

Timeline

Published Mar 12, 2013

Tracked Since Feb 18, 2026