CVE-2024-28752 - Vulnerability Details

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Apache	Cxf
Netapp	Oncommand Workflow Automation
Redhat	Apache Camel Spring Boot Camel K Camel Quarkus Jboss Enterprise Application Platform Jboss Enterprise Application Platform Eus Jboss Fuse

No data.

Package	CPE	Advisory	Released Date
Red Hat build of Apache Camel 3.20.6 for Spring Boot
cxf-core	cpe:/a:redhat:apache_camel_spring_boot:3.20.6	RHSA-2024:3708	2024-06-06T00:00:00Z
Red Hat build of Apache Camel for Quarkus
	cpe:/a:redhat:camel_quarkus:3	RHSA-2024:2834	2024-05-16T00:00:00Z
	cpe:/a:redhat:camel_quarkus:3	RHSA-2024:2852	2024-05-15T00:00:00Z
Red Hat Fuse 7.13.0
	cpe:/a:redhat:jboss_fuse:7	RHSA-2024:3354	2024-05-23T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7
cxf-core	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2024:3563	2024-06-03T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
eap7-apache-cxf-0:3.1.16-3.SP1_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2024:10208	2024-11-25T00:00:00Z
eap7-avro-0:1.7.6-2.redhat_00003.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2024:10208	2024-11-25T00:00:00Z
eap7-bouncycastle-0:1.68.0-1.redhat_00005.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2024:10208	2024-11-25T00:00:00Z
eap7-h2database-0:1.4.197-2.redhat_00005.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2024:10208	2024-11-25T00:00:00Z
eap7-jackson-databind-0:2.8.11.6-1.SP1_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2024:10208	2024-11-25T00:00:00Z
eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2024:10208	2024-11-25T00:00:00Z
eap7-jboss-xnio-base-0:3.5.10-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2024:10208	2024-11-25T00:00:00Z
eap7-wildfly-0:7.1.8-2.GA_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2024:10208	2024-11-25T00:00:00Z
eap7-xalan-j2-0:2.7.1-26.redhat_00015.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2024:10208	2024-11-25T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2024:10207	2024-11-25T00:00:00Z
eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2024:10207	2024-11-25T00:00:00Z
eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2024:10207	2024-11-25T00:00:00Z
eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2024:10207	2024-11-25T00:00:00Z
eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2024:10207	2024-11-25T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2024:10207	2024-11-25T00:00:00Z
eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2024:10207	2024-11-25T00:00:00Z
eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2024:10207	2024-11-25T00:00:00Z
eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2024:10207	2024-11-25T00:00:00Z
eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2024:10207	2024-11-25T00:00:00Z
eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2024:10207	2024-11-25T00:00:00Z
eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2024:10207	2024-11-25T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-apache-cxf-0:3.5.8-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-hal-console-0:3.3.22-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-infinispan-0:11.0.19-2.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-jboss-ejb-client-0:4.0.54-3.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-jboss-jsf-api_2.3_spec-0:3.0.0-8.SP08_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-jboss-metadata-0:13.5.0-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-jboss-modules-0:1.12.3-3.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-jboss-server-migration-0:1.10.0-36.Final_redhat_00035.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-undertow-0:2.2.32-1.SP1_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-wildfly-0:7.4.17-2.GA_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-wildfly-discovery-0:1.2.4-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-wildfly-elytron-0:1.15.23-2.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-wildfly-http-client-0:1.1.17-1.Final_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.19-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-wss4j-0:2.4.3-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
eap7-xml-security-0:2.3.4-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:3560	2024-06-03T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
eap7-apache-cxf-0:3.5.8-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-hal-console-0:3.3.22-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-infinispan-0:11.0.19-2.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-jboss-ejb-client-0:4.0.54-3.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-jboss-jsf-api_2.3_spec-0:3.0.0-8.SP08_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-jboss-metadata-0:13.5.0-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-jboss-modules-0:1.12.3-3.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-jboss-server-migration-0:1.10.0-36.Final_redhat_00035.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-undertow-0:2.2.32-1.SP1_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-wildfly-0:7.4.17-2.GA_redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-wildfly-discovery-0:1.2.4-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-wildfly-elytron-0:1.15.23-2.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-wildfly-http-client-0:1.1.17-1.Final_redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.19-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-wss4j-0:2.4.3-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
eap7-xml-security-0:2.3.4-1.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:3561	2024-06-03T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-apache-cxf-0:3.5.8-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:3559	2024-06-03T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8
cxf-core	cpe:/a:redhat:jboss_enterprise_application_platform:8.0	RHSA-2024:5482	2024-08-15T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
eap8-apache-cxf-0:4.0.4-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:5479	2024-08-15T00:00:00Z
eap8-apache-cxf-xjc-utils-0:4.0.0-5.redhat_00003.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:5479	2024-08-15T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
eap8-apache-cxf-0:4.0.4-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:5481	2024-08-15T00:00:00Z
eap8-apache-cxf-xjc-utils-0:4.0.0-5.redhat_00003.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:5481	2024-08-15T00:00:00Z
RHINT Camel-K 1.10.8
cxf-core	cpe:/a:redhat:camel_k:1.10.8	RHSA-2024:8339	2024-10-22T00:00:00Z

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/03/14/3
https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt
https://github.com/advisories/GHSA-qmgx-j96g-4428
https://nvd.nist.gov/vuln/detail/CVE-2024-28752
https://security.netapp.com/advisory/ntap-20240517-0001/
https://www.cve.org/CVERecord?id=CVE-2024-28752

History

Mon, 23 Dec 2024 03:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Fuse
CPEs		cpe:/a:redhat:jboss_fuse:7
Vendors & Products		Redhat jboss Fuse

Mon, 02 Dec 2024 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat camel Quarkus
CPEs		cpe:/a:redhat:camel_quarkus:3
Vendors & Products		Redhat camel Quarkus

Mon, 25 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform Eus
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
Vendors & Products		Redhat jboss Enterprise Application Platform Eus

Wed, 23 Oct 2024 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat camel K
CPEs		cpe:/a:redhat:camel_k:1.10.8
Vendors & Products		Redhat camel K

Fri, 16 Aug 2024 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform:8.0 cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8 cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-03-15T10:27:30.083Z

Updated: 2024-08-02T00:56:58.056Z

Reserved: 2024-03-08T12:29:39.918Z

Link: CVE-2024-28752

Vulnrichment

Updated: 2024-07-22T13:52:39.266Z

NVD

Status : Awaiting Analysis

Published: 2024-03-15T11:15:09.220

Modified: 2024-11-21T09:06:53.397

Link: CVE-2024-28752

Redhat

Severity : Important

Publid Date: 2024-03-14T00:00:00Z

Links: CVE-2024-28752 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object