CVE-2017-5653 — Improper Certificate Validation in Apache CXF

Description

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

How to fix CVE-2017-5653

To remediate CVE-2017-5653, upgrade the affected package to a fixed version below.

Maven/org.apache.cxf:cxf-core—upgrade to 3.1.11 or later

Is CVE-2017-5653 being exploited?

Low — EPSS is 3.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.1.0, < 3.1.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-5653
WEBcxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc?version=1&modificationDate=1492515074710&api=v2
WEBaccess.redhat.com/errata/RHSA-2017:1832
WEBgithub.com/apache/cxf