CVE-2017-5653

MEDIUM

Apache Cxf < 3.0.13 - Improper Certificate Validation

Title source: rule

Description

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

References (10)

[Patch, Vendor Advisory] http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc?version=1&modificationDate=1492515074710&api=v2

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/97968

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1038279

[Issue Tracking] https://access.redhat.com/errata/RHSA-2017:1832

[Mailing List] https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

Scores

CVSS v3 5.3

EPSS 0.0317

EPSS Percentile 86.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-295

Status published

Affected Products (4)

apache/cxf < 3.0.13

org.apache.cxf/cxf-core < 3.1.11Maven

Apache Software Foundation/Apache CXF < prior to 3.0.13

Apache Software Foundation/Apache CXF < 3.1.x prior to 3.1.11

Timeline

Published Apr 18, 2017

Tracked Since Feb 18, 2026