// For flags

CVE-2012-5633

apache-cxf: Bypass of security constraints on WS endpoints when using WSS4JInInterceptor

Severity Score

5.8
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to obtain access to SOAP services via an HTTP GET request.

El URIMappingInterceptor en Apache CXF anterior a v2.5.8, v2.6.x anterior a v2.6.5, y v2.7.x anterior a v2.7.2, cuando utiliza el WSS4JInInterceptor, evita el procesamiento de WS-Security, lo que permite a atacantes remotos obtener acceso a los servicios SOAP mediante una peticiĆ³n HTTP GET.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2012-10-24 CVE Reserved
  • 2013-02-12 CVE Published
  • 2023-11-28 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-287: Improper Authentication
CAPEC
References (28)
URL Tag Source
http://osvdb.org/90079 Vdb Entry
http://packetstormsecurity.com/files/120213/Apache-CXF-WS-Security-URIMappingInterceptor-Bypass.html X_refsource_misc
http://seclists.org/fulldisclosure/2013/Feb/39 Mailing List
http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests X_refsource_misc
http://svn.apache.org/viewvc?view=revision&revision=1409324 X_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=1420698 X_refsource_confirm
http://www.securityfocus.com/bid/57874 Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/81980 Vdb Entry
https://issues.apache.org/jira/browse/CXF-4629 X_refsource_confirm
https://issues.jboss.org/browse/JBWS-3575 X_refsource_misc
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E Mailing List
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
<= 2.5.7
Search vendor "Apache" for product "Cxf" and version " <= 2.5.7"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.5.0
Search vendor "Apache" for product "Cxf" and version "2.5.0"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.5.1
Search vendor "Apache" for product "Cxf" and version "2.5.1"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.5.2
Search vendor "Apache" for product "Cxf" and version "2.5.2"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.5.3
Search vendor "Apache" for product "Cxf" and version "2.5.3"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.5.4
Search vendor "Apache" for product "Cxf" and version "2.5.4"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.5.5
Search vendor "Apache" for product "Cxf" and version "2.5.5"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.5.6
Search vendor "Apache" for product "Cxf" and version "2.5.6"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.6.0
Search vendor "Apache" for product "Cxf" and version "2.6.0"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.6.1
Search vendor "Apache" for product "Cxf" and version "2.6.1"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.6.2
Search vendor "Apache" for product "Cxf" and version "2.6.2"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.6.3
Search vendor "Apache" for product "Cxf" and version "2.6.3"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.6.4
Search vendor "Apache" for product "Cxf" and version "2.6.4"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.7.0
Search vendor "Apache" for product "Cxf" and version "2.7.0"
-
Affected
Apache
Search vendor "Apache"
Cxf
Search vendor "Apache" for product "Cxf"
2.7.1
Search vendor "Apache" for product "Cxf" and version "2.7.1"
-
Affected