CVE-2012-5575

2013-08-1923:55:00

CWE-310

[email protected]

web.nvd.nist.gov

cve-2012-5575

apache cxf

xml encryption

algorithmsuite

ws-securitypolicy

5.7 Medium

AI Score

Confidence

High

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.003 Low

EPSS

Percentile

71.4%

JSON

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka “XML Encryption backwards compatibility attack.”

CPENameOperatorVersion
apache:cxfapache cxfeq2.5.2
apache:cxfapache cxfeq2.5.9
redhat:jboss_enterprise_web_platformredhat jboss enterprise web platformeq5.2.0
redhat:jboss_enterprise_soa_platformredhat jboss enterprise soa platformeq4.3.0
apache:cxfapache cxfeq2.6.0
apache:cxfapache cxfeq2.5.3
apache:cxfapache cxfeq2.7.3
apache:cxfapache cxfeq2.5.7
redhat:jboss_fuse_esb_enterpriseredhat jboss fuse esb enterpriseeq7.1.0
apache:cxfapache cxfeq2.6.2

CPE	Name	Operator	Version
apache:cxf	apache cxf	eq	2.5.2
apache:cxf	apache cxf	eq	2.5.9
redhat:jboss_enterprise_web_platform	redhat jboss enterprise web platform	eq	5.2.0
redhat:jboss_enterprise_soa_platform	redhat jboss enterprise soa platform	eq	4.3.0
apache:cxf	apache cxf	eq	2.6.0
apache:cxf	apache cxf	eq	2.5.3
apache:cxf	apache cxf	eq	2.7.3
apache:cxf	apache cxf	eq	2.5.7
redhat:jboss_fuse_esb_enterprise	redhat jboss fuse esb enterprise	eq	7.1.0
apache:cxf	apache cxf	eq	2.6.2