CVE-2012-2379 — XML Signature/Encryption Not Validated in Apache CXF

Description

Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element is signed or encrypted, which has unspecified impact and attack vectors.

How to fix CVE-2012-2379

To remediate CVE-2012-2379, upgrade the affected package to a fixed version below.

Maven/org.apache.cxf:cxf—upgrade to 2.4.8 or later

Is CVE-2012-2379 being exploited?

Low — EPSS is 3.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.4.0, < 2.4.8

References (18)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-2379
PATCHgithub.com/apache/cxf
WEBcxf.apache.org/cve-2012-2379.html
WEBgithub.com/apache/cxf/commit/440528d928be1e2030e7227b958c9c072847d9b2
WEB