CVE-2019-12406 – cxf: does not restrict the number of message attachments

https://notcve.org/view.php?id=CVE-2019-12406

06 Nov 2019 — Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count". Apache CXF versiones anteriores a la versión 3.3.4 y 3.2.11, no restring... • http://cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.asc • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •