Vulnerability in Apache Cxf
CVE-2014-0035
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remot…
Vulnerability class: POODLE (CVE-2014-3566)
EPSS: 0.010 (76.8th percentile) — read the EPSS interpretation.
Affected products
- Apache Cxf — versions 2.6.0, 2.6.1, 2.6.2
- Redhat Jboss_enterprise_application_platform — versions 6.0.0, 6.2.0
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- RHSA-2014:0798 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2015:0850 (x_refsource_REDHAT, vendor-advisory)
- secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
- RHSA-2014:0797 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2015:0851 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2014:0799 (x_refsource_REDHAT, vendor-advisory)
- secalert@redhat.com (x_refsource_CONFIRM, Patch)
- RHSA-2014:1351 (x_refsource_REDHAT, vendor-advisory)
- [cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html (mailing-list, x_refsource_MLIST)
- [cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2014-0035?
- CVE-2014-0035 is a vulnerability in Apache Cxf, classified under Cryptographic Issues. Published 2014-07-07.
- Is CVE-2014-0035 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.