CVE-2024-28752
Apache CXF SSRF Vulnerability using the Aegis databinding
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.
Una vulnerabilidad SSRF que utiliza Aegis DataBinding en versiones de Apache CXF anteriores a 4.0.4, 3.6.3 y 3.5.8 permite a un atacante realizar ataques de estilo SSRF en servicios web que toman al menos un parĂ¡metro de cualquier tipo. Los usuarios de otros enlaces de datos (incluido el enlace de datos predeterminado) no se ven afectados.
A server-side request forgery (SSRF) vulnerability was found in Apache CXF. This issue occurs in attacks on webservices that take at least one parameter of any type, and when Aegisdatabind is used. Users of other data bindings including the default databinding are not impacted.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-03-08 CVE Reserved
- 2024-03-15 CVE Published
- 2024-06-11 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (5)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2024/03/14/3 | ||
https://security.netapp.com/advisory/ntap-20240517-0001 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt | 2024-06-10 | |
https://access.redhat.com/security/cve/CVE-2024-28752 | 2024-10-22 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2270732 | 2024-10-22 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Software Foundation Search vendor "Apache Software Foundation" | Apache CXF Search vendor "Apache Software Foundation" for product "Apache CXF" | < 4.0.4 Search vendor "Apache Software Foundation" for product "Apache CXF" and version " < 4.0.4" | en |
Affected
| ||||||
Apache Software Foundation Search vendor "Apache Software Foundation" | Apache CXF Search vendor "Apache Software Foundation" for product "Apache CXF" | < 3.6.3 Search vendor "Apache Software Foundation" for product "Apache CXF" and version " < 3.6.3" | en |
Affected
| ||||||
Apache Software Foundation Search vendor "Apache Software Foundation" | Apache CXF Search vendor "Apache Software Foundation" for product "Apache CXF" | < 3.5.8 Search vendor "Apache Software Foundation" for product "Apache CXF" and version " < 3.5.8" | en |
Affected
|