CVE-2013-0239: Improper Authentication in Apache CXF
5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.88948%
CWE
Published
5/5/2022
Updated
12/21/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.cxf:cxf-rt-frontend-jaxrs | maven | < 2.5.9 | 2.5.9 |
org.apache.cxf:cxf-rt-frontend-jaxrs | maven | >= 2.6.0, < 2.6.6 | 2.6.6 |
org.apache.cxf:cxf-rt-frontend-jaxrs | maven | >= 2.7.0, < 2.7.3 | 2.7.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing password validation in WS-SecurityPolicy handling. The commit e4c6b3b adds critical checks in these two functions:
- UsernameTokenInterceptor now verifies password presence for non-endorsing SupportingTokens
- UsernameTokenPolicyValidator enforces password requirement through isNonEndorsingSupportingToken check These functions were vulnerable because they previously allowed authentication when UsernameToken elements lacked passwords in policy configurations requiring them, particularly in SupportingToken scenarios.