Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack."
References
Link Providers
http://cxf.apache.org/cve-2012-5575.html cve-icon cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0833.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0834.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0839.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0873.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0874.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0875.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0876.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0943.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-1028.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-1143.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-1437.html cve-icon cve-icon
http://www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/ cve-icon cve-icon cve-icon
http://www.securityfocus.com/bid/60043 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=880443 cve-icon cve-icon
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2012-5575 cve-icon
https://www.cve.org/CVERecord?id=CVE-2012-5575 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-08-19T23:00:00

Updated: 2024-08-06T21:14:16.301Z

Reserved: 2012-10-24T00:00:00

Link: CVE-2012-5575

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2013-08-19T23:55:08.127

Modified: 2024-11-21T01:44:55.097

Link: CVE-2012-5575

cve-icon Redhat

Severity : Important

Publid Date: 2013-03-08T00:00:00Z

Links: CVE-2012-5575 - Bugzilla