CVE-2014-0109
CXF: HTML content posted to SOAP endpoint could cause OOM errors
Severity Score
4.3
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (memory consumption) via a large request with the Content-Type set to text/html to a SOAP endpoint, which triggers an error.
Apache CXF anterior a 2.6.14 y 2.7.x anterior a 2.7.11 permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de una solicitud grande con la configuración Content-Type hacia text/html hacia un endpoint SOAP, lo que provoca un error.
A denial of service flaw was found in the way Apache CXF created error messages for certain POST requests. A remote attacker could send a specially crafted request which, when processed by an application using Apache CXF, could consume an excessive amount of memory on the system, possibly triggering an Out Of Memory (OOM) error.
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files. The following security issues are addressed in this release: It was discovered that Apache Shiro authenticated users without specifying a user name or a password when used in conjunction with an LDAP back end that allowed unauthenticated binds.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2013-12-03 CVE Reserved
- 2014-05-08 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-399: Resource Management Errors
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (13)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.0 Search vendor "Apache" for product "Cxf" and version "2.7.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.1 Search vendor "Apache" for product "Cxf" and version "2.7.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.2 Search vendor "Apache" for product "Cxf" and version "2.7.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.3 Search vendor "Apache" for product "Cxf" and version "2.7.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.4 Search vendor "Apache" for product "Cxf" and version "2.7.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.5 Search vendor "Apache" for product "Cxf" and version "2.7.5" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.6 Search vendor "Apache" for product "Cxf" and version "2.7.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.7 Search vendor "Apache" for product "Cxf" and version "2.7.7" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.8 Search vendor "Apache" for product "Cxf" and version "2.7.8" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.9 Search vendor "Apache" for product "Cxf" and version "2.7.9" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.7.10 Search vendor "Apache" for product "Cxf" and version "2.7.10" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | <= 2.6.13 Search vendor "Apache" for product "Cxf" and version " <= 2.6.13" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.0 Search vendor "Apache" for product "Cxf" and version "2.4.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.1 Search vendor "Apache" for product "Cxf" and version "2.4.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.2 Search vendor "Apache" for product "Cxf" and version "2.4.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.3 Search vendor "Apache" for product "Cxf" and version "2.4.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.4 Search vendor "Apache" for product "Cxf" and version "2.4.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.5 Search vendor "Apache" for product "Cxf" and version "2.4.5" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.6 Search vendor "Apache" for product "Cxf" and version "2.4.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.4.7 Search vendor "Apache" for product "Cxf" and version "2.4.7" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.0 Search vendor "Apache" for product "Cxf" and version "2.5.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.1 Search vendor "Apache" for product "Cxf" and version "2.5.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.2 Search vendor "Apache" for product "Cxf" and version "2.5.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.3 Search vendor "Apache" for product "Cxf" and version "2.5.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.4 Search vendor "Apache" for product "Cxf" and version "2.5.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.5 Search vendor "Apache" for product "Cxf" and version "2.5.5" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.6 Search vendor "Apache" for product "Cxf" and version "2.5.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.7 Search vendor "Apache" for product "Cxf" and version "2.5.7" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.8 Search vendor "Apache" for product "Cxf" and version "2.5.8" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.5.9 Search vendor "Apache" for product "Cxf" and version "2.5.9" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.0 Search vendor "Apache" for product "Cxf" and version "2.6.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.1 Search vendor "Apache" for product "Cxf" and version "2.6.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.2 Search vendor "Apache" for product "Cxf" and version "2.6.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.3 Search vendor "Apache" for product "Cxf" and version "2.6.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.4 Search vendor "Apache" for product "Cxf" and version "2.6.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.5 Search vendor "Apache" for product "Cxf" and version "2.6.5" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.6 Search vendor "Apache" for product "Cxf" and version "2.6.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.7 Search vendor "Apache" for product "Cxf" and version "2.6.7" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.8 Search vendor "Apache" for product "Cxf" and version "2.6.8" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.9 Search vendor "Apache" for product "Cxf" and version "2.6.9" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.10 Search vendor "Apache" for product "Cxf" and version "2.6.10" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.11 Search vendor "Apache" for product "Cxf" and version "2.6.11" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | 2.6.12 Search vendor "Apache" for product "Cxf" and version "2.6.12" | - |
Affected
| ||||||