CVEブラウザに戻る

CVE-2012-2379

CRITICAL

10.0

CVSS Severity Score

EPSS Score0.1620%

EPSS Percentile31.88th

Published2013年1月3日

Last Modified2026年4月29日

Vulnerability Description

Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element is signed or encrypted, which has unspecified impact and attack vectors.

Affected Platforms (CPE)

📦

Apache

Cxf

= 2.4.0

📦

Apache

Cxf

= 2.4.1

📦

Apache

Cxf

= 2.4.2

📦

Apache

Cxf

= 2.4.3

📦

Apache

Cxf

= 2.4.4

📦

Apache

Cxf

= 2.4.5

📦

Apache

Cxf

= 2.4.6

📦

Apache

Cxf

= 2.4.7

📦

Apache

Cxf

= 2.5.0

📦

Apache

Cxf

= 2.5.1

📦

Apache

Cxf

= 2.5.2

📦

Apache

Cxf

= 2.5.3

📦

Apache

Cxf

= 2.6.0

References & Advisories

🔗 http://cxf.apache.org/cve-2012-2379.html

🔗 http://rhn.redhat.com/errata/RHSA-2012-1559.html

🔗 http://rhn.redhat.com/errata/RHSA-2012-1573.html

🔗 http://rhn.redhat.com/errata/RHSA-2012-1591.html

🔗 http://rhn.redhat.com/errata/RHSA-2012-1592.html

🔗 http://rhn.redhat.com/errata/RHSA-2012-1593.html

🔗 http://rhn.redhat.com/errata/RHSA-2012-1594.html

🔗 http://rhn.redhat.com/errata/RHSA-2013-0191.html

関連する脆弱性情報

CVE-2010-20769.8

Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Ch...

CVE-2012-08039.8

The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty ...

CVE-2019-124199.8

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect servic...

CVE-2016-44649.8

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values...