Description

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

Remediation

References

http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc?version=1&modificationDate=1492515074710&api=v2

http://www.securityfocus.com/bid/97968

http://www.securitytracker.com/id/1038279

https://access.redhat.com/errata/RHSA-2017:1832

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

Related Vulnerabilities

CVE-2016-10726 Vulnerability in maven package org.dspace:dspace-xmlui

CVE-2023-40013 Vulnerability in npm package external-svg-loader

CVE-2022-25973 Vulnerability in npm package mc-kill-port

CVE-2021-21361 Vulnerability in maven package com.bmuschko:gradle-vagrant-plugin

CVE-2022-40764 Vulnerability in npm package snyk-go-plugin

Severity

Medium

Classification

CWE-295 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Patch Vendor Advisory Third Party Advisory VDB Entry Issue Tracking