VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-cppb-xhj5-a7ep

Vulnerability ID	VCID-cppb-xhj5-a7ep
Aliases	CVE-2013-0239 GHSA-p5c5-6564-vvr8
Summary	UsernameTokenPolicyValidator and UsernameTokenInterceptor allow empty passwords to authenticate When the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-287	Improper Authentication
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
There are no known severity scores.

Reference id	Reference type	URL
		http://osvdb.org/90078
		http://packetstormsecurity.com/files/120214/Apache-CXF-WS-Security-UsernameToken-Bypass.html
		http://rhn.redhat.com/errata/RHSA-2013-0749.html
		https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0239
		http://seclists.org/fulldisclosure/2013/Feb/39
		http://secunia.com/advisories/51988
		https://exchange.xforce.ibmcloud.com/vulnerabilities/81981
		https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
		https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
		https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
		https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
		https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
		https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
		http://svn.apache.org/viewvc?view=revision&revision=1438424
CVE-2013-0239		https://nvd.nist.gov/vuln/detail/CVE-2013-0239
CVE-2013-0239.HTML		http://cxf.apache.org/cve-2013-0239.html
GHSA-p5c5-6564-vvr8		https://github.com/advisories/GHSA-p5c5-6564-vvr8

No exploits are available.

There are no known vectors.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:36:08.131979+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf-rt-ws-security/CVE-2013-0239.yml	38.6.0