CVE-2013-0239

Apache CXF < 2.5.9, 2.6.x < 2.6.6, 2.7.x < 2.7.3 - Unauthenticated Authentication Bypass via Missing Password Element

Title source: llm
STIX 2.1

Description

Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.

References (15)

Core 15
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/90078
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51988
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2013/Feb/39
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/81981
Vendor Advisory x_refsource_confirm
http://cxf.apache.org/cve-2013-0239.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/57876
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0749.html

Scores

EPSS 0.0469
EPSS Percentile 90.6%

Details

CWE
CWE-287
Status published
Products (27)
apache/cxf 2.4.0
apache/cxf 2.4.1
apache/cxf 2.4.2
apache/cxf 2.4.3
apache/cxf 2.4.4
apache/cxf 2.4.5
apache/cxf 2.4.6
apache/cxf 2.4.7
apache/cxf 2.5.0
apache/cxf 2.5.1
... and 17 more
Published Mar 12, 2013
Tracked Since Feb 18, 2026