Use of a Risky Cryptographic Algorithm Affecting org.apache.cxf:cxf package, versions [2.4.0,2.4.7) [2.5.1,2.5.3)


0.0
high

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
Expand this section
NVD
5.9 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGAPACHECXF-30553
  • published 16 Oct 2015
  • disclosed 16 Oct 2015
  • credit Tibor Jager, Sebastian Schinzel, Juraj Somorovsky

How to fix?

Upgrade org.apache.cxf:cxf to version 2.4.7, 2.5.3 or higher.

Overview

org.apache.cxf:cxf is a services framework that aids in the development of services using front-end programming APIs, like JAX-WS and JAX-RS.

Affected versions of this package are vulnerable to Use of a Risky Cryptographic Algorithm. The PKCS#1 v1.5 Key Transport Algorithm is used to encrypt symmetric keys as part of WS-Security. WSS4J can leak information about where a particular decryption operation fails.