CVE-2017-5653
cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted
Severity Score
5.3
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.
Clientes streaming de JAX-RS XML Security en Apache CXF en versiones anteriores a 3.1.11 y 3.0.13 no validan que la respuesta de servicio fue firmada o encriptada, lo que permite a atacantes suplantar servidores.
It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-01-29 CVE Reserved
- 2017-04-18 CVE Published
- 2023-07-23 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-295: Improper Certificate Validation
CAPEC
References (12)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc?version=1&modificationDate=1492515074710&api=v2 | 2023-11-07 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2017:1832 | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2017-5653 | 2017-08-10 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1445327 | 2017-08-10 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | >= 3.0.0 <= 3.0.13 Search vendor "Apache" for product "Cxf" and version " >= 3.0.0 <= 3.0.13" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | >= 3.1.0 <= 3.1.11 Search vendor "Apache" for product "Cxf" and version " >= 3.1.0 <= 3.1.11" | - |
Affected
|