Description

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

Remediation

References

http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc?version=1&modificationDate=1492515074710&api=v2

http://www.securityfocus.com/bid/97968

http://www.securitytracker.com/id/1038279

https://access.redhat.com/errata/RHSA-2017:1832

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

Related Vulnerabilities

CVE-2012-4534 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2022-38666 Vulnerability in maven package io.jenkins.plugins:cavisson-ns-nd-integration

CVE-2022-36090 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2021-44906 Vulnerability in maven package org.webjars.npm:minimist

CVE-2023-26152 Vulnerability in npm package static-server

Severity

Medium

Classification

CWE-295 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Patch Vendor Advisory Third Party Advisory VDB Entry Issue Tracking