CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41172 – Apache CXF: Unrestricted memory consumption in CXF HTTP clients
https://notcve.org/view.php?id=CVE-2024-41172
In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory En las versiones de Apache CXF anteriores a 3.6.4 y 4.0.5 (las versiones 3.5.x y inferiores no se ven afectadas), un conducto de cliente HTTP de CXF puede impedir que las instancias de HTTPClient se recopilen como basura y es posible que el consumo de memoria continúe aumentando eventualmente causando que la aplicación se quede sin memoria. • https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-32007 – Apache CXF Denial of Service vulnerability in JOSE
https://notcve.org/view.php?id=CVE-2024-32007
An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token. Una validación de entrada incorrecta del parámetro p2c en el código Apache CXF JOSE anterior a 4.0.5, 3.6.4 y 3.5.9 permite a un atacante realizar un ataque de denegación de servicio especificando un valor grande para este parámetro en un token. • https://lists.apache.org/thread/stwrgsr1llb73nkl16klv9vjqgmmx633 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-29736 – Apache CXF: SSRF vulnerability via WADL stylesheet parameter
https://notcve.org/view.php?id=CVE-2024-29736
A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured. Una vulnerabilidad SSRF en la descripción del servicio WADL en versiones de Apache CXF anteriores a 4.0.5, 3.6.4 y 3.5.9 permite a un atacante realizar ataques de estilo SSRF en servicios web REST. El ataque sólo se aplica si se configura un parámetro de hoja de estilo personalizado. • https://lists.apache.org/thread/4jtpsswn2r6xommol54p5mg263ysgdw2 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-28752 – Apache CXF SSRF Vulnerability using the Aegis databinding
https://notcve.org/view.php?id=CVE-2024-28752
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted. Una vulnerabilidad SSRF que utiliza Aegis DataBinding en versiones de Apache CXF anteriores a 4.0.4, 3.6.3 y 3.5.8 permite a un atacante realizar ataques de estilo SSRF en servicios web que toman al menos un parámetro de cualquier tipo. Los usuarios de otros enlaces de datos (incluido el enlace de datos predeterminado) no se ven afectados. A server-side request forgery (SSRF) vulnerability was found in Apache CXF. • http://www.openwall.com/lists/oss-security/2024/03/14/3 https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt https://security.netapp.com/advisory/ntap-20240517-0001 https://access.redhat.com/security/cve/CVE-2024-28752 https://bugzilla.redhat.com/show_bug.cgi?id=2270732 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 4%CPEs: 2EXPL: 0CVE-2022-46364 – Apache CXF SSRF Vulnerability
https://notcve.org/view.php?id=CVE-2022-46364
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Una vulnerabilidad SSRF al analizar el atributo href de XOP: Incluir en solicitudes MTOM en versiones de Apache CXF anteriores a 3.5.5 y 3.4.10 permite a un atacante realizar ataques de estilo SSRF en servicios web que toman al menos un parámetro de cualquier tipo. A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. • https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2 https://access.redhat.com/security/cve/CVE-2022-46364 https://bugzilla.redhat.com/show_bug.cgi?id=2155682 • CWE-918: Server-Side Request Forgery (SSRF) •