46 results (0.003 seconds)

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0

In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory En las versiones de Apache CXF anteriores a 3.6.4 y 4.0.5 (las versiones 3.5.x y inferiores no se ven afectadas), un conducto de cliente HTTP de CXF puede impedir que las instancias de HTTPClient se recopilen como basura y es posible que el consumo de memoria continúe aumentando eventualmente causando que la aplicación se quede sin memoria. A memory consumption flaw was found in Apache CXF. This issue may allow a CXF HTTP client conduit to prevent HTTPClient instances from being garbage collected, eventually causing the application to run out of memory. • https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6 https://access.redhat.com/security/cve/CVE-2024-41172 https://bugzilla.redhat.com/show_bug.cgi?id=2298829 • CWE-401: Missing Release of Memory after Effective Lifetime •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token. Una validación de entrada incorrecta del parámetro p2c en el código Apache CXF JOSE anterior a 4.0.5, 3.6.4 y 3.5.9 permite a un atacante realizar un ataque de denegación de servicio especificando un valor grande para este parámetro en un token. An improper input validation vulnerability was found in the p2c parameter in the Apache CXF JOSE. This flaw allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token. • https://lists.apache.org/thread/stwrgsr1llb73nkl16klv9vjqgmmx633 https://access.redhat.com/security/cve/CVE-2024-32007 https://bugzilla.redhat.com/show_bug.cgi?id=2298828 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •

CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0

A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured. Una vulnerabilidad SSRF en la descripción del servicio WADL en versiones de Apache CXF anteriores a 4.0.5, 3.6.4 y 3.5.9 permite a un atacante realizar ataques de estilo SSRF en servicios web REST. El ataque sólo se aplica si se configura un parámetro de hoja de estilo personalizado. A Server-side request forgery (SSRF) vulnerability was found in Apache CXF in the WADL service description. • https://lists.apache.org/thread/4jtpsswn2r6xommol54p5mg263ysgdw2 https://access.redhat.com/security/cve/CVE-2024-29736 https://bugzilla.redhat.com/show_bug.cgi?id=2298827 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 0

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted. Una vulnerabilidad SSRF que utiliza Aegis DataBinding en versiones de Apache CXF anteriores a 4.0.4, 3.6.3 y 3.5.8 permite a un atacante realizar ataques de estilo SSRF en servicios web que toman al menos un parámetro de cualquier tipo. Los usuarios de otros enlaces de datos (incluido el enlace de datos predeterminado) no se ven afectados. A server-side request forgery (SSRF) vulnerability was found in Apache CXF. • http://www.openwall.com/lists/oss-security/2024/03/14/3 https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt https://security.netapp.com/advisory/ntap-20240517-0001 https://access.redhat.com/security/cve/CVE-2024-28752 https://bugzilla.redhat.com/show_bug.cgi?id=2270732 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 9.8EPSS: 4%CPEs: 2EXPL: 0

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Una vulnerabilidad SSRF al analizar el atributo href de XOP: Incluir en solicitudes MTOM en versiones de Apache CXF anteriores a 3.5.5 y 3.4.10 permite a un atacante realizar ataques de estilo SSRF en servicios web que toman al menos un parámetro de cualquier tipo. A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. • https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2 https://access.redhat.com/security/cve/CVE-2022-46364 https://bugzilla.redhat.com/show_bug.cgi?id=2155682 • CWE-918: Server-Side Request Forgery (SSRF) •