We use the OWASP Dependency Check to identify vulnerabilities in the dependencies of our Java project. One that is being flagged is CVE-2012-5786. According to that CVE, the issue is "in Apache CXF, possibly 2.6.0".
We are using Apache CXF 3.1.11, released April 2017. Because of how vague the CVE is about which versions are affected, we're unsure if our version of CXF is affected. We suspect not since it's five years old, but I guess we don't know for sure.
Does CVE-2012-5786 affect Apache CXF 3.1.11 (and later)?