CVE-2012-0803

moderate-risk

Published 2017-08-08

The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty UsernameToken as part of a SOAP request.

Do I need to act?

0.67% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (2)

Cxf

Affected Vendors

Apache

References (16)

Mailing List http://marc.info/?l=full-disclosure&m=132861746008002

Patch http://svn.apache.org/viewvc?view=revision&revision=1233457

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de10...

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b...

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fd...

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba7...

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49...

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a7...

Mailing List http://marc.info/?l=full-disclosure&m=132861746008002

Patch http://svn.apache.org/viewvc?view=revision&revision=1233457

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de10...

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b...

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fd...

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba7...

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49...

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a7...

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 7/34 · Low