- EPSS 4.69%
- Veröffentlicht 12.03.2013 23:55:01
- Zuletzt bearbeitet 29.04.2026 01:13:23
Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken el...
CVE-2012-5633
- EPSS 8.16%
- Veröffentlicht 12.03.2013 23:55:01
- Zuletzt bearbeitet 29.04.2026 01:13:23
The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to obtain access to SOAP services via an HTTP GET requ...
CVE-2012-2378
- EPSS 3.93%
- Veröffentlicht 05.01.2013 00:55:02
- Zuletzt bearbeitet 16.06.2026 23:41:27
Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite...
- EPSS 4.11%
- Veröffentlicht 03.01.2013 01:55:01
- Zuletzt bearbeitet 16.06.2026 23:41:27
Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element is signed or encrypted, which has unspecified impac...
CVE-2012-5786
- EPSS 1.08%
- Veröffentlicht 04.11.2012 22:55:03
- Zuletzt bearbeitet 16.06.2026 23:47:20
The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF before 2.7.0 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field o...
CVE-2012-3451
- EPSS 8.88%
- Veröffentlicht 24.09.2012 17:55:01
- Zuletzt bearbeitet 16.06.2026 23:43:14
Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action String that is inconsistent with the message body.
CVE-2010-2076
- EPSS 9.79%
- Veröffentlicht 19.08.2010 18:00:02
- Zuletzt bearbeitet 16.06.2026 23:19:56
Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows...