CVEs-PoC/2017/CVE-2017-5653.md

### [CVE-2017-5653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5653)
![](https://img.shields.io/static/v1?label=Product&message=Apache%20CXF&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=3.1.x%20prior%20to%203.1.11%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=prior%20to%203.0.13%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=XML%20Security%20streaming%20clients%20do%20not%20validate%20that%20the%20service%20response%20was%20secured.&color=brightgreen)

### Description

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/n0-traces/cve_monitor