Miggo Logo

CVE-2013-0239: Improper Authentication in Apache CXF

5

CVSS Score

Basic Information

EPSS Score
0.88948%
Published
5/5/2022
Updated
12/21/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.cxf:cxf-rt-frontend-jaxrsmaven< 2.5.92.5.9
org.apache.cxf:cxf-rt-frontend-jaxrsmaven>= 2.6.0, < 2.6.62.6.6
org.apache.cxf:cxf-rt-frontend-jaxrsmaven>= 2.7.0, < 2.7.32.7.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing password validation in WS-SecurityPolicy handling. The commit e4c6b3b adds critical checks in these two functions:

  1. UsernameTokenInterceptor now verifies password presence for non-endorsing SupportingTokens
  2. UsernameTokenPolicyValidator enforces password requirement through isNonEndorsingSupportingToken check These functions were vulnerable because they previously allowed authentication when UsernameToken elements lacked passwords in policy configurations requiring them, particularly in SupportingToken scenarios.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** *X* ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.*, w**n t** pl*int*xt Us*rn*m*Tok*n WS-S**urityPoli*y is *n**l**, *llows r*mot* *tt**k*rs to *yp*ss *ut**nti**tion vi* * s**urity *****r o* * SO*P r*qu*st *ont*inin* * Us*rn*m*Tok*n *l

Reasoning

T** vuln*r**ility st*ms *rom missin* p*sswor* v*li**tion in WS-S**urityPoli*y **n*lin*. T** *ommit ******* ***s *riti**l ****ks in t**s* two *un*tions: *. Us*rn*m*Tok*nInt*r**ptor now v*ri*i*s p*sswor* pr*s*n** *or non-*n*orsin* Supportin*Tok*ns *. U