CVE-2019-12406
cxf: does not restrict the number of message attachments
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
Apache CXF versiones anteriores a la versión 3.3.4 y 3.2.11, no restringe el número de archivos adjuntos presentes en un mensaje dado. Esto deja abierta la posibilidad de un ataque de tipo denegación de servicio, en el que un usuario malicioso crea un mensaje que contiene una gran cantidad de archivos adjuntos. Desde las versiones 3.3.4 y 3.2.11, se aplica un límite predeterminado de 50 archivos adjuntos de mensajes. Esto es configurable por medio de la propiedad de mensaje "attach-max-count".
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-05-28 CVE Reserved
- 2019-11-06 CVE Published
- 2024-08-04 CVE Updated
- 2024-10-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (16)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.oracle.com/security-alerts/cpuApr2021.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpuapr2020.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpujan2020.html | 2023-11-07 |
URL | Date | SRC |
---|---|---|
http://cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.asc | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2019-12406 | 2020-12-16 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1816170 | 2020-12-16 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | < 3.2.11 Search vendor "Apache" for product "Cxf" and version " < 3.2.11" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Cxf Search vendor "Apache" for product "Cxf" | >= 3.3.0 < 3.3.4 Search vendor "Apache" for product "Cxf" and version " >= 3.3.0 < 3.3.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Commerce Guided Search Search vendor "Oracle" for product "Commerce Guided Search" | 11.3.2 Search vendor "Oracle" for product "Commerce Guided Search" and version "11.3.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.0.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.1.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Order Broker Search vendor "Oracle" for product "Retail Order Broker" | 15.0 Search vendor "Oracle" for product "Retail Order Broker" and version "15.0" | - |
Affected
|