You are here

CVE-2012-2378

Vincent (CVE) Danen's picture
Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies.

Details Source

Mitre

Public Date

2012-06-07 00:00:00

Impact

Moderate

Bugzilla

CVE-2012-2378 jbossws-cxf, apache-cxf: Certain child policies of WS-SecurityPolicy 1.1 SupportingToken policy not applied on the client side

Bugzilla ID

826 533

CVSS Status

verified

Base Score

4.30

Base Metrics

AV:N/AC:M/Au:N/C:P/I:N/A:N

Acknowledgements

Red Hat would like to thank the Apache CXF project for reporting this issue.

External References

http://cxf.apache.org/cve-2012-2378.html

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 6.0 RHSA-2012:1594 2012-12-18
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2012:1592 2012-12-18
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2012:1591 2012-12-18

Affected Packages State

Platform Package State
Red Hat OpenShift Enterprise 1 Cartridges Affected