Use of a Risky Cryptographic Algorithm Affecting org.apache.cxf:cxf Open this link in a new tab package, versions [2.4.0,2.4.7) [2.5.1,2.5.3)

  • Attack Complexity


  • Confidentiality


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    16 Oct 2015

  • disclosed

    16 Oct 2015

  • credit

    Tibor Jager, Sebastian Schinzel, Juraj Somorovsky

How to fix?

Upgrade org.apache.cxf:cxf to version 2.4.7, 2.5.3 or higher.


org.apache.cxf:cxf is a services framework that aids in the development of services using front-end programming APIs, like JAX-WS and JAX-RS.

Affected versions of this package are vulnerable to Use of a Risky Cryptographic Algorithm. The PKCS#1 v1.5 Key Transport Algorithm is used to encrypt symmetric keys as part of WS-Security. WSS4J can leak information about where a particular decryption operation fails.