GHSA-hgg6-8x62-m9gf

Source

https://github.com/advisories/GHSA-hgg6-8x62-m9gf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hgg6-8x62-m9gf/GHSA-hgg6-8x62-m9gf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hgg6-8x62-m9gf

Aliases

CVE-2017-5653

Published

2022-05-13T01:09:19Z

Modified

2024-02-22T05:32:13.853013Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Improper Certificate Validation in Apache CXF

Details

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

Database specific

{
    "nvd_published_at": "2017-04-18T16:59:00Z",
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-01T11:59:24Z"
}

References

Affected packages

Maven / org.apache.cxf:cxf-core

Package

Name: org.apache.cxf:cxf-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.11

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

Database specific

{
    "last_known_affected_version_range": "<= 3.1.10"
}

Maven / org.apache.cxf:cxf-core

Package

Name: org.apache.cxf:cxf-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.13

Affected versions

3.*

3.0.0-milestone1

3.0.0-milestone2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

Database specific

{
    "last_known_affected_version_range": "<= 3.0.12"
}