CVE-2012-5575
Inadequate Encryption Strength in Apache CXF
EPSS 9.5%
Description
Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack."
How to fix CVE-2012-5575
To remediate CVE-2012-5575, upgrade the affected package to a fixed version below.
- Maven/org.apache.cxf:cxf-rt-transports-http—upgrade to 2.5.10 or later
Is CVE-2012-5575 being exploited?
Moderate — EPSS is 9.5%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- >= 2.5.0, < 2.5.10