CVE-2012-5633

Published: Mar 12, 2013Modified: Apr 29, 2026

5.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability: 8.6 / Impact: 4.9

Source: NVD

Description

The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to obtain access to SOAP services via an HTTP GET request.

Affected (15)

Products: Apache: Cxf

Apache

1 product

Cxf

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Apache Cxf	Up to 2.5.7
Apache Cxf	Version 2.5.0
Apache Cxf	Version 2.5.1
Apache Cxf	Version 2.5.2
Apache Cxf	Version 2.5.3
Apache Cxf	Version 2.5.4
Apache Cxf	Version 2.5.5
Apache Cxf	Version 2.5.6

Configuration B

5 vulnerable

Vulnerable Software	Affected Versions
Apache Cxf	Version 2.6.0
Apache Cxf	Version 2.6.1
Apache Cxf	Version 2.6.2
Apache Cxf	Version 2.6.3
Apache Cxf	Version 2.6.4

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Apache Cxf	Version 2.7.0
Apache Cxf	Version 2.7.1

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (52)

http://cxf.apache.org/cve-2012-5633.html

Source: secalert@redhat.com

Vendor Advisory

http://osvdb.org/90079

Source: secalert@redhat.com

http://packetstormsecurity.com/files/120213/Apache-CXF-WS-Security-URIMappingInterceptor-Bypass.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-0256.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-0257.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-0258.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-0259.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-0726.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-0743.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-0749.html

Source: secalert@redhat.com

http://seclists.org/fulldisclosure/2013/Feb/39

Source: secalert@redhat.com

http://secunia.com/advisories/51988

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/52183

Source: secalert@redhat.com

Vendor Advisory

http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1409324

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1420698

Source: secalert@redhat.com

http://www.securityfocus.com/bid/57874

Source: secalert@redhat.com

https://exchange.xforce.ibmcloud.com/vulnerabilities/81980

Source: secalert@redhat.com

https://issues.apache.org/jira/browse/CXF-4629

Source: secalert@redhat.com

https://issues.jboss.org/browse/JBWS-3575

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

Source: secalert@redhat.com

http://cxf.apache.org/cve-2012-5633.html