First published: Mon Aug 27 2012(Updated: )
Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action String that is inconsistent with the message body.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Apache CXF | <2.4.9 | |
Apache CXF | >=2.5.0<2.5.5 | |
Apache CXF | >=2.6.0<2.6.2 | |
maven/org.apache.cxf:cxf | >=2.6.0<2.6.2 | 2.6.2 |
maven/org.apache.cxf:cxf | >=2.5.0<2.5.5 | 2.5.5 |
maven/org.apache.cxf:cxf | <2.4.9 | 2.4.9 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2012-3451 is considered to be of moderate severity, as it allows remote attackers to perform unauthorized operations under specific conditions.
To fix CVE-2012-3451, upgrade Apache CXF to version 2.6.2 or later, or to version 2.5.5, or to version 2.4.9 depending on the affected version.
CVE-2012-3451 allows for SOAPAction spoofing attacks, enabling unauthorized access to restricted web service operations.
Apache CXF versions prior to 2.6.2, 2.5.5, and up to 2.4.9 are affected by CVE-2012-3451.
There are no known workarounds for CVE-2012-3451; the recommended action is to update to the fixed versions.