jetlib.sec » Bugtraq » CVE-2012-0803: Apache CXF does not validate UsernameToken policies correctly

Feeds

132968 items (0 unread) in 27 feeds

• 1337day (was: Inj3ct0r, 1337db)
• OSVDB Vulnerabilities
• Exploit-DB
• SecurityFocus Vulnerabilities
• Bugtraq
• Full Disclosure
• XSSed
• Packet Storm Security Headlines
• Packet Storm Security Advisories
• Packet Storm Security Exploits
• Packet Storm Security Recent Files
• Packet Storm Security Tools
• Packet Storm Security Misc. Files
• Sophos security news
• Sophos product advisories
• Penetration Testing
• SecuriTeam
• BackTrack Linux Forums
• Threatpost
• SecDocs
• carnal0wnage.attackresearch.com
• Carnal0wnage
• Kernel Fun
• Darknet
• The Exploitant
• Hack a Day
• Wirevolution

Bugtraq

• February 07, 2012
• 

  CVE-2012-0803: Apache CXF does not validate UsernameToken policies correctly

  Posted: February 7th, 2012, 8:05am PST

  Tags:   

  Posted by Colm O hEigeartaigh on Feb 07

  CVE-2012-0803: Apache CXF does not validate UsernameToken policies correctly
  
  Severity: Important
  
  Vendor: The Apache Software Foundation
  
  Versions Affected: Apache CXF 2.4.5 and 2.5.1
  
  Description: CXF does not validate a WS-Security UsernameToken received as part
  of the security header of a SOAP request against a WS-SP UsernameToken policy.
  
  A malicious client could send a request to the endpoint with no UsernameToken,
  and the UsernameToken...