CVE-2014-0035

Good to know:

icon
icon

Date: July 7, 2014

The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.

Language: Java

Severity Score

Severity Score

Weakness Type (CWE)

Cryptographic Issues

CWE-310

Top Fix

icon

Upgrade Version

Upgrade to version 2.6.13,2.7.10

Learn More

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us