CVE-2014-0035 – org.apache.cxf:cxf-core

Package

Manager: maven
Name: org.apache.cxf:cxf-core
Vulnerable Version: >=0 <2.6.13 || >=2.7.0 <2.7.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00956 pctl0.75539

Details

Cleartext Transmission of Sensitive Information in Apache CXF The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.

Metadata

Created: 2022-05-13T01:09:20Z
Modified: 2023-12-21T21:22:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v45r-rj5x-hpg2/GHSA-v45r-rj5x-hpg2.json
CWE IDs: ["CWE-319"]
Alternative ID: GHSA-v45r-rj5x-hpg2
Finding: F332
Auto approve: 1