CVE-2017-5653

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Cxf
Vendor: CVE Published:; 18 April 2017

Summary

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

Affected Version(s)

Apache CXF prior to 3.0.13

Apache CXF 3.1.x prior to 3.1.11

References

https://access.redhat.com/errata/RHSA-2017:1832

vendor-advisoryx_refsource_REDHAT

http://cxf.apache.org/security-advisories.data/CVE-2017-5...

x_refsource_CONFIRM

http://www.securitytracker.com/id/1038279

vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 18, 2017
Vulnerability Reserved
Jan 29, 2017