CVE-2017-5653

MEDIUM

Apache CXF 3.0.0-3.0.12 and 3.1.0-3.1.10 - Improper Certificate Validation in JAX-RS XML Security Streaming Clients

Title source: llm
STIX 2.1

Description

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

References (10)

Core 10
Core References
Issue Tracking vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1832
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038279
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97968

Scores

CVSS v3 5.3
EPSS 0.0317
EPSS Percentile 87.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE
CWE-295
Status published
Products (4)
apache/cxf 3.0.0 - 3.0.13
Apache Software Foundation/Apache CXF 3.1.x prior to 3.1.11
Apache Software Foundation/Apache CXF prior to 3.0.13
org.apache.cxf/cxf-core 3.1.0 - 3.1.11Maven
Published Apr 18, 2017
Tracked Since Feb 18, 2026