Vulnerability CVE-2012-5633
Published: 2013-03-12   Modified: 2013-03-15

Description:
The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to obtain access to SOAP services via an HTTP GET request.

See advisories in our WLB2 database:
Topic
Author
Date
High
Apache CXF WSS4JInInterceptor always allows HTTP Get requests
Apache
11.02.2013

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.8/10
4.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None
Affected software
Apache -> CXF 

 References:
https://issues.jboss.org/browse/JBWS-3575
https://issues.apache.org/jira/browse/CXF-4629
http://xforce.iss.net/xforce/xfdb/81980
http://www.securityfocus.com/bid/57874
http://svn.apache.org/viewvc?view=revision&revision=1420698
http://svn.apache.org/viewvc?view=revision&revision=1409324
http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
http://secunia.com/advisories/52183
http://secunia.com/advisories/51988
http://seclists.org/fulldisclosure/2013/Feb/39
http://rhn.redhat.com/errata/RHSA-2013-0749.html
http://rhn.redhat.com/errata/RHSA-2013-0743.html
http://rhn.redhat.com/errata/RHSA-2013-0726.html
http://rhn.redhat.com/errata/RHSA-2013-0259.html
http://rhn.redhat.com/errata/RHSA-2013-0258.html
http://rhn.redhat.com/errata/RHSA-2013-0257.html
http://rhn.redhat.com/errata/RHSA-2013-0256.html
http://packetstormsecurity.com/files/120213/Apache-CXF-WS-Security-URIMappingInterceptor-Bypass.html
http://osvdb.org/90079
http://cxf.apache.org/cve-2012-5633.html
Copyright 2024, cxsecurity.com

 

Back to Top