Apache CXF 2.4.5 up to and including 2.4.7, 2.5.1 up to and including 2.5.3, and 2.6.x prior to 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote malicious users to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache cxf 2.4.6 |
||
apache cxf 2.4.7 |
||
apache cxf 2.4.5 |
||
apache cxf 2.5.2 |
||
apache cxf 2.5.3 |
||
apache cxf 2.5.1 |
||
apache cxf 2.6.0 |