CVE-2012-2379
apache-cxf: Apache CXF does not verify that elements were signed / encrypted by a particular Supporting Token
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element is signed or encrypted, which has unspecified impact and attack vectors.
Apache CXF v2.4.x antes de v2.4.8, v2.5.x antes de v2.5.4, y v2.6.x antes de v2.6.1, cuando un Supporting Token especifica una política hija WS-SecurityPolicy 1.1 o 1.2, no se aseguran de que un elemento XML está firmado o cifrado, lo que tiene un impacto y vectores de ataque no especificados.
JBoss Enterprise SOA Platform is the next-generation ESB and business process automation infrastructure. JBoss Enterprise SOA Platform allows IT to leverage existing, modern, and future integration methodologies to dramatically improve business process execution speed and quality. This roll up patch serves as a cumulative upgrade for JBoss Enterprise SOA Platform 5.3.0. It includes various bug fixes. The following security issue is also fixed with this release: A flaw was found in the way Apache CXF verified that XML elements were signed or encrypted by a particular Supporting Token. Apache CXF checked to ensure these elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could use this flaw to transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2012-04-19 CVE Reserved
- 2012-06-08 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (26)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://cxf.apache.org/cve-2012-2379.html | 2023-02-13 |
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2012-1559.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2012-1573.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2012-1591.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2012-1592.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2012-1593.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2012-1594.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0191.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0192.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0193.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0194.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0195.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0196.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0197.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2013-0198.html | 2023-02-13 | |
| https://access.redhat.com/security/cve/CVE-2012-2379 | 2013-01-24 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=826534 | 2013-01-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.0 Search vendor "Apache" for product "Cxf" and version "2.4.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.1 Search vendor "Apache" for product "Cxf" and version "2.4.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.2 Search vendor "Apache" for product "Cxf" and version "2.4.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.3 Search vendor "Apache" for product "Cxf" and version "2.4.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.4 Search vendor "Apache" for product "Cxf" and version "2.4.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.5 Search vendor "Apache" for product "Cxf" and version "2.4.5" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.6 Search vendor "Apache" for product "Cxf" and version "2.4.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.7 Search vendor "Apache" for product "Cxf" and version "2.4.7" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.0 Search vendor "Apache" for product "Cxf" and version "2.5.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.1 Search vendor "Apache" for product "Cxf" and version "2.5.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.2 Search vendor "Apache" for product "Cxf" and version "2.5.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.3 Search vendor "Apache" for product "Cxf" and version "2.5.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.0 Search vendor "Apache" for product "Cxf" and version "2.6.0" | - |
Affected
| ||||||