CyberSec.Space Logo
Back to CVE Browser

CVE-2012-0803

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1380%
EPSS Percentile19.12th
PublishedAug 8, 2017
Last ModifiedMay 13, 2026

Vulnerability Description

The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty UsernameToken as part of a SOAP request.

Affected Platforms (CPE)

πŸ“¦
Apache

Cxf

= 2.4.5
πŸ“¦
Apache

Cxf

= 2.5.1

References & Advisories

πŸ”— http://marc.info/?l=full-disclosure&m=132861746008002
πŸ”— http://svn.apache.org/viewvc?view=revision&revision=1233457
πŸ”— https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

Related Vulnerabilities

CVE-2012-237910.0

Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPo...

CVE-2010-20769.8

Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Ch...

CVE-2019-124199.8

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect servic...

CVE-2016-44649.8

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values...