The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2014-07-07T14:00:00

Updated: 2024-08-06T08:58:26.618Z

Reserved: 2013-12-03T00:00:00

Link: CVE-2014-0035

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2014-07-07T14:55:03.397

Modified: 2024-11-21T02:01:13.260

Link: CVE-2014-0035

cve-icon Redhat

Severity : Low

Publid Date: 2014-05-01T00:00:00Z

Links: CVE-2014-0035 - Bugzilla