5

CVE-2013-0239

Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheCxf Version <= 2.5.8
ApacheCxf Version2.4.0
ApacheCxf Version2.4.1
ApacheCxf Version2.4.2
ApacheCxf Version2.4.3
ApacheCxf Version2.4.4
ApacheCxf Version2.4.5
ApacheCxf Version2.4.6
ApacheCxf Version2.4.7
ApacheCxf Version2.5.0
ApacheCxf Version2.5.1
ApacheCxf Version2.5.2
ApacheCxf Version2.5.3
ApacheCxf Version2.5.4
ApacheCxf Version2.5.5
ApacheCxf Version2.5.6
ApacheCxf Version2.5.7
ApacheCxf Version2.6.0
ApacheCxf Version2.6.1
ApacheCxf Version2.6.2
ApacheCxf Version2.6.3
ApacheCxf Version2.6.4
ApacheCxf Version2.6.5
ApacheCxf Version2.7.0
ApacheCxf Version2.7.1
ApacheCxf Version2.7.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.69% 0.906
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
http://rhn.redhat.com/errata/RHSA-2013-0749.html
http://seclists.org/fulldisclosure/2013/Feb/39
http://secunia.com/advisories/51988
Vendor Advisory
http://cxf.apache.org/cve-2013-0239.html
Vendor Advisory
http://osvdb.org/90078
http://packetstormsecurity.com/files/120214/Apache-CXF-WS-Security-UsernameToken-Bypass.html
http://svn.apache.org/viewvc?view=revision&revision=1438424
Patch
http://www.securityfocus.com/bid/57876
https://exchange.xforce.ibmcloud.com/vulnerabilities/81981