// For flags

CVE-2024-28752

Apache CXF SSRF Vulnerability using the Aegis databinding

Severity Score

9.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

Una vulnerabilidad SSRF que utiliza Aegis DataBinding en versiones de Apache CXF anteriores a 4.0.4, 3.6.3 y 3.5.8 permite a un atacante realizar ataques de estilo SSRF en servicios web que toman al menos un parĂ¡metro de cualquier tipo. Los usuarios de otros enlaces de datos (incluido el enlace de datos predeterminado) no se ven afectados.

A server-side request forgery (SSRF) vulnerability was found in Apache CXF. This issue occurs in attacks on webservices that take at least one parameter of any type, and when Aegisdatabind is used. Users of other data bindings including the default databinding are not impacted.

*Credits: Tobias S. Fink
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-03-08 CVE Reserved
  • 2024-03-15 CVE Published
  • 2024-06-11 EPSS Updated
  • 2024-08-02 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache Software Foundation
Search vendor "Apache Software Foundation"
Apache CXF
Search vendor "Apache Software Foundation" for product "Apache CXF"
< 4.0.4
Search vendor "Apache Software Foundation" for product "Apache CXF" and version " < 4.0.4"
en
Affected
Apache Software Foundation
Search vendor "Apache Software Foundation"
Apache CXF
Search vendor "Apache Software Foundation" for product "Apache CXF"
< 3.6.3
Search vendor "Apache Software Foundation" for product "Apache CXF" and version " < 3.6.3"
en
Affected
Apache Software Foundation
Search vendor "Apache Software Foundation"
Apache CXF
Search vendor "Apache Software Foundation" for product "Apache CXF"
< 3.5.8
Search vendor "Apache Software Foundation" for product "Apache CXF" and version " < 3.5.8"
en
Affected