Description

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

Remediation

References

http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc?version=1&modificationDate=1492515074710&api=v2

http://www.securityfocus.com/bid/97968

http://www.securitytracker.com/id/1038279

https://access.redhat.com/errata/RHSA-2017:1832

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

Related Vulnerabilities

CVE-2021-44138 Vulnerability in maven package com.caucho:resin

CVE-2023-29008 Vulnerability in npm package @sveltejs/kit

CVE-2022-31147 Vulnerability in maven package org.webjars.bowergithub.jquery-validation:jquery-validation

CVE-2023-43123 Vulnerability in maven package org.apache.storm:storm-server

CVE-2022-31018 Vulnerability in maven package com.typesafe.play:play_2.13

Severity

Medium

Classification

CWE-295 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Patch Vendor Advisory Third Party Advisory VDB Entry Issue Tracking