Moderate severityNVD Advisory· Published Aug 19, 2013· Updated Apr 29, 2026
CVE-2012-5575
CVE-2012-5575
Description
Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack."
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxf-rt-transports-httpMaven | >= 2.5.0, < 2.5.10 | 2.5.10 |
org.apache.cxf:cxf-rt-transports-httpMaven | >= 2.6.0, < 2.6.7 | 2.6.7 |
org.apache.cxf:cxf-rt-transports-httpMaven | >= 2.7.0, < 2.7.4 | 2.7.4 |
Affected products
26cpe:2.3:a:apache:cxf:2.5.0:*:*:*:*:*:*:*+ 20 more
- cpe:2.3:a:apache:cxf:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_fuse_esb_enterprise:7.1.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
30- rhn.redhat.com/errata/RHSA-2013-0873.htmlnvdVendor AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2013-0874.htmlnvdVendor AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2013-0876.htmlnvdVendor AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2013-0943.htmlnvdVendor AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2013-1143.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-7v5v-9v8r-w864ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-5575ghsaADVISORY
- cxf.apache.org/cve-2012-5575.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0833.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0834.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0839.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0875.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-1028.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-1437.htmlnvdWEB
- www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibilityghsaWEB
- www.securityfocus.com/bid/60043nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3EghsaWEB
- www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/nvd
News mentions
0No linked articles in our index yet.