Apache CXF 2.5.x prior to 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote malicious users to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack."
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
apache cxf 2.5.2 |
||
apache cxf 2.5.9 |
||
redhat jboss enterprise web platform 5.2.0 |
||
redhat jboss enterprise soa platform 4.3.0 |
||
apache cxf 2.6.0 |
||
apache cxf 2.5.3 |
||
apache cxf 2.7.3 |
||
apache cxf 2.5.7 |
||
redhat jboss fuse esb enterprise 7.1.0 |
||
apache cxf 2.6.2 |
||
apache cxf 2.5.0 |
||
apache cxf 2.5.1 |
||
apache cxf 2.5.5 |
||
apache cxf 2.5.8 |
||
apache cxf 2.6.5 |
||
apache cxf 2.7.0 |
||
apache cxf 2.6.6 |
||
apache cxf 2.6.3 |
||
redhat jboss enterprise portal platform 4.3.0 |
||
apache cxf 2.5.6 |
||
apache cxf 2.6.4 |
||
apache cxf 2.6.1 |
||
apache cxf 2.7.1 |
||
redhat jboss enterprise application platform 5.0.0 |
||
apache cxf 2.5.4 |
||
apache cxf 2.7.2 |
Vulmon