CVE-2014-0035: Cleartext Transmission of Sensitive Information in Apache CXF
(updated )
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
References
- cxf.apache.org/security-advisories.data/CVE-2014-0035.txt.asc
- rhn.redhat.com/errata/RHSA-2014-0797.html
- rhn.redhat.com/errata/RHSA-2014-0798.html
- rhn.redhat.com/errata/RHSA-2014-0799.html
- rhn.redhat.com/errata/RHSA-2014-1351.html
- rhn.redhat.com/errata/RHSA-2015-0850.html
- rhn.redhat.com/errata/RHSA-2015-0851.html
- svn.apache.org/viewvc?view=revision&revision=1564724
- github.com/advisories/GHSA-v45r-rj5x-hpg2
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- nvd.nist.gov/vuln/detail/CVE-2014-0035
Code Behaviors & Features
Detect and mitigate CVE-2014-0035 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →