-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.cxf:cxf | maven | >= 2.4.0, <= 2.4.5 | 2.4.6 |
| org.apache.cxf:cxf | maven | >= 2.5.0, <= 2.5.1 | 2.5.2 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper policy validation in the WS-Security UsernameToken handling. The UsernameTokenInterceptor is responsible for enforcing WS-SP policies, but in vulnerable versions, it didn't properly check if a UsernameToken was actually present when required. This matches the CVE description of allowing empty UsernameTokens to bypass authentication. The interceptors layer is the logical location for policy validation, and the regression/fix patterns in Apache CXF security components typically involve policy interceptor classes.
Ongoing coverage of React2Shell