Apache

Cxf

57 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 11.17%
  • Veröffentlicht 18.04.2017 16:59:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

  • EPSS 5.7%
  • Veröffentlicht 18.11.2015 16:59:00
  • Zuletzt bearbeitet 06.05.2026 22:30:45

The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."

  • EPSS 9.22%
  • Veröffentlicht 30.10.2014 14:55:07
  • Zuletzt bearbeitet 06.05.2026 22:30:45

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote atta...

  • EPSS 7.18%
  • Veröffentlicht 30.10.2014 14:55:07
  • Zuletzt bearbeitet 06.05.2026 22:30:45

The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service...

  • EPSS 7.05%
  • Veröffentlicht 07.07.2014 14:55:03
  • Zuletzt bearbeitet 06.05.2026 22:30:45

The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers...

  • EPSS 7.41%
  • Veröffentlicht 07.07.2014 14:55:03
  • Zuletzt bearbeitet 06.05.2026 22:30:45

The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token.

  • EPSS 3.64%
  • Veröffentlicht 08.05.2014 14:29:13
  • Zuletzt bearbeitet 06.05.2026 22:30:45

Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large invalid SOAP message.

  • EPSS 3.64%
  • Veröffentlicht 08.05.2014 14:29:13
  • Zuletzt bearbeitet 06.05.2026 22:30:45

Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (memory consumption) via a large request with the Content-Type set to text/html to a SOAP endpoint, which triggers an error.

  • EPSS 32.26%
  • Veröffentlicht 19.08.2013 23:55:08
  • Zuletzt bearbeitet 29.04.2026 01:13:23

The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attribut...

  • EPSS 6.32%
  • Veröffentlicht 19.08.2013 23:55:08
  • Zuletzt bearbeitet 29.04.2026 01:13:23

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers...