Vulnerability Description
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Cxf | <= 2.6.12 |
| Redhat | Jboss Enterprise Application Platform | 6.0.0 |
Related Weaknesses (CWE)
References
- http://cxf.apache.org/security-advisories.data/CVE-2014-0035.txt.ascVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2014-0797.html
- http://rhn.redhat.com/errata/RHSA-2014-0798.html
- http://rhn.redhat.com/errata/RHSA-2014-0799.html
- http://rhn.redhat.com/errata/RHSA-2014-1351.html
- http://rhn.redhat.com/errata/RHSA-2015-0850.html
- http://rhn.redhat.com/errata/RHSA-2015-0851.html
- http://svn.apache.org/viewvc?view=revision&revision=1564724Patch
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de10
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fd
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba7
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a7
- http://cxf.apache.org/security-advisories.data/CVE-2014-0035.txt.ascVendor Advisory
FAQ
What is CVE-2014-0035?
CVE-2014-0035 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the Usernam...
How severe is CVE-2014-0035?
CVE-2014-0035 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-0035?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Cxf, Redhat Jboss Enterprise Application Platform.