CVE-2014-0035
CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
SymmetricBinding en Apache CXF anterior a 2.6.13 y 2.7.x anterior a 2.7.10, cuando EncryptBeforeSigning está habilitado y la política UsernameToken está configurada en un EncryptedSupportingToken, transmite el UsernameToken en texto claro, lo que permite a atacantes remotos obtener información sensible mediante la captura de trafico de la red.
It was discovered that UsernameTokens were sent in plain text by an Apache CXF client that used a Symmetric EncryptBeforeSigning password policy. A man-in-the-middle attacker could use this flaw to obtain the user name and password used by the client application using Apache CXF.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-12-03 CVE Reserved
- 2014-06-26 CVE Published
- 2024-02-17 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-310: Cryptographic Issues
- CWE-522: Insufficiently Protected Credentials
CAPEC
References (16)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://svn.apache.org/viewvc?view=revision&revision=1564724 | 2023-11-07 |
URL | Date | SRC |
---|---|---|
http://cxf.apache.org/security-advisories.data/CVE-2014-0035.txt.asc | 2023-11-07 | |
http://rhn.redhat.com/errata/RHSA-2014-0797.html | 2023-11-07 | |
http://rhn.redhat.com/errata/RHSA-2014-0798.html | 2023-11-07 | |
http://rhn.redhat.com/errata/RHSA-2014-0799.html | 2023-11-07 | |
http://rhn.redhat.com/errata/RHSA-2014-1351.html | 2023-11-07 | |
http://rhn.redhat.com/errata/RHSA-2015-0850.html | 2023-11-07 | |
http://rhn.redhat.com/errata/RHSA-2015-0851.html | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2014-0035 | 2015-05-14 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1093530 | 2015-05-14 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | <= 2.6.12 Search vendor "Apache" for product "Cxf" and version " <= 2.6.12" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.0 Search vendor "Apache" for product "Cxf" and version "2.6.0" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.1 Search vendor "Apache" for product "Cxf" and version "2.6.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.2 Search vendor "Apache" for product "Cxf" and version "2.6.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.3 Search vendor "Apache" for product "Cxf" and version "2.6.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.4 Search vendor "Apache" for product "Cxf" and version "2.6.4" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.5 Search vendor "Apache" for product "Cxf" and version "2.6.5" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.6 Search vendor "Apache" for product "Cxf" and version "2.6.6" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.7 Search vendor "Apache" for product "Cxf" and version "2.6.7" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.8 Search vendor "Apache" for product "Cxf" and version "2.6.8" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.9 Search vendor "Apache" for product "Cxf" and version "2.6.9" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.10 Search vendor "Apache" for product "Cxf" and version "2.6.10" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.11 Search vendor "Apache" for product "Cxf" and version "2.6.11" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.0 Search vendor "Apache" for product "Cxf" and version "2.7.0" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.1 Search vendor "Apache" for product "Cxf" and version "2.7.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.2 Search vendor "Apache" for product "Cxf" and version "2.7.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.3 Search vendor "Apache" for product "Cxf" and version "2.7.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.4 Search vendor "Apache" for product "Cxf" and version "2.7.4" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.5 Search vendor "Apache" for product "Cxf" and version "2.7.5" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.6 Search vendor "Apache" for product "Cxf" and version "2.7.6" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.7 Search vendor "Apache" for product "Cxf" and version "2.7.7" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.8 Search vendor "Apache" for product "Cxf" and version "2.7.8" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.9 Search vendor "Apache" for product "Cxf" and version "2.7.9" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.0.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.2.0" | - |
Affected
|