BEGIN PGP SIGNED MESSAGE----
CVE-2012-0803: Apache CXF does not validate UsernameToken policies correctly
Vendor: The Apache Software Foundation
Versions Affected: Apache CXF 2.4.5 and 2.5.1
Description: CXF does not validate a WS-Security UsernameToken received as part
of the security header of a SOAP request against a WS-SP UsernameToken policy.
A malicious client could send a request to the endpoint with no UsernameToken,
and the UsernameToken policy requirement would still be marked as valid.
This has been fixed in revision:
This issue was a regression in CXF 2.4.5 and 2.5.1. The vulnerability does not
exist in CXF 2.4.4 and 2.5.0.
CXF 2.4.5 users should upgrade to 2.4.6 as soon as possible.
CXF 2.5.1 users should upgrade to 2.5.2 as soon as possible.
BEGIN PGP SIGNATURE----
Version: GnuPG v1.4.11 (GNU/Linux)
END PGP SIGNATURE----