GHSA-v45r-rj5x-hpg2

Suggest an improvement
Source
https://github.com/advisories/GHSA-v45r-rj5x-hpg2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v45r-rj5x-hpg2/GHSA-v45r-rj5x-hpg2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v45r-rj5x-hpg2
Aliases
  • CVE-2014-0035
Published
2022-05-13T01:09:20Z
Modified
2023-12-21T21:22:54Z
Summary
Cleartext Transmission of Sensitive Information in Apache CXF
Details

The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.

References

Affected packages

Maven / org.apache.cxf:cxf-core

Package

Name
org.apache.cxf:cxf-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cxf/cxf-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.13

Maven / org.apache.cxf:cxf-core

Package

Name
org.apache.cxf:cxf-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cxf/cxf-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0
Fixed
2.7.10