Filtered by vendor Apache Subscriptions
Filtered by product Cxf Subscriptions
Total 40 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-41172 2 Apache, Redhat 3 Cxf, Camel Quarkus, Jboss Enterprise Application Platform 2024-11-21 7.5 High
In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory
CVE-2024-32007 2 Apache, Redhat 3 Cxf, Apache Camel Spring Boot, Camel Quarkus 2024-11-21 7.5 High
An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token. 
CVE-2024-29736 2 Apache, Redhat 2 Cxf, Apache Camel Spring Boot 2024-11-21 7.5 High
A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.
CVE-2024-28752 3 Apache, Netapp, Redhat 8 Cxf, Oncommand Workflow Automation, Apache Camel Spring Boot and 5 more 2024-11-21 9.3 Critical
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.
CVE-2022-46364 2 Apache, Redhat 10 Cxf, Camel Spring Boot, Jboss Enterprise Application Platform and 7 more 2024-11-21 9.8 Critical
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. 
CVE-2022-46363 2 Apache, Redhat 8 Cxf, Camel K, Camel Spring Boot and 5 more 2024-11-21 7.5 High
A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.
CVE-2021-40690 4 Apache, Debian, Oracle and 1 more 26 Cxf, Santuario Xml Security For Java, Tomee and 23 more 2024-11-21 7.5 High
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
CVE-2021-30468 3 Apache, Oracle, Redhat 8 Cxf, Tomee, Business Intelligence and 5 more 2024-11-21 7.5 High
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.
CVE-2021-22696 3 Apache, Oracle, Redhat 8 Cxf, Business Intelligence, Communications Diameter Intelligence Hub and 5 more 2024-11-21 7.5 High
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.
CVE-2020-1954 4 Apache, Netapp, Oracle and 1 more 15 Cxf, Oncommand Workflow Automation, Snapmanager and 12 more 2024-11-21 5.3 Medium
Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.
CVE-2020-13954 4 Apache, Netapp, Oracle and 1 more 8 Cxf, Snap Creator Framework, Vasa Provider For Clustered Data Ontap and 5 more 2024-11-21 6.1 Medium
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
CVE-2019-17573 3 Apache, Oracle, Redhat 14 Cxf, Commerce Guided Search, Communications Element Manager and 11 more 2024-11-21 6.1 Medium
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.
CVE-2019-12423 3 Apache, Oracle, Redhat 14 Cxf, Commerce Guided Search, Communications Diameter Signaling Router and 11 more 2024-11-21 7.5 High
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all.
CVE-2019-12419 3 Apache, Oracle, Redhat 8 Cxf, Commerce Guided Search, Enterprise Manager Base Platform and 5 more 2024-11-21 9.8 Critical
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.
CVE-2019-12406 3 Apache, Oracle, Redhat 8 Cxf, Commerce Guided Search, Flexcube Private Banking and 5 more 2024-11-21 6.5 Medium
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
CVE-2018-8039 2 Apache, Redhat 6 Cxf, Enterprise Linux, Jboss Amq and 3 more 2024-11-21 N/A
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.
CVE-2017-5656 2 Apache, Redhat 4 Cxf, Jboss Amq, Jboss Fuse and 1 more 2024-11-21 N/A
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
CVE-2017-5653 2 Apache, Redhat 3 Cxf, Jboss Amq, Jboss Fuse 2024-11-21 N/A
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.
CVE-2017-3156 2 Apache, Redhat 3 Cxf, Jboss Amq, Jboss Fuse 2024-11-21 N/A
The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.
CVE-2017-12624 2 Apache, Redhat 3 Cxf, Jboss Enterprise Application Platform, Jboss Single Sign On 2024-11-21 N/A
Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".