CVE-2024-41172 - Vulnerability Details

In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Cxf
Redhat	Camel Quarkus Jboss Enterprise Application Platform

Configuration 1 [-]

OR	cpe:2.3:a:apache:cxf::::::::
	cpe:2.3:a:apache:cxf::::::::

Package	CPE	Advisory	Released Date
Red Hat build of Apache Camel 4 for Quarkus 3
org.apache.cxf/cxf-rt-transports-http	cpe:/a:redhat:camel_quarkus:3.8	RHSA-2024:7052	2024-09-24T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8
org.apache.cxf/cxf-rt-transports-http	cpe:/a:redhat:jboss_enterprise_application_platform:8.0	RHSA-2024:8826	2024-11-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
eap8-activemq-artemis-0:2.33.0-1.redhat_00015.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-activemq-artemis-native-1:2.0.0-2.redhat_00005.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-aesh-extensions-0:1.8.0-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-aesh-readline-0:2.2.0-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-commons-codec-0:1.16.1-2.redhat_00007.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-commons-collections-0:3.2.2-28.redhat_2.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-commons-io-0:2.15.1-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-commons-lang-0:3.14.0-2.redhat_00006.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-cxf-0:4.0.5-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-artemis-native-1:2.0.0-2.redhat_00005.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-artemis-wildfly-integration-0:2.0.1-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-asyncutil-0:0.1.0-2.redhat_00010.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-aws-java-sdk-0:1.12.284-2.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-cryptacular-0:1.2.5-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-eap-product-conf-parent-0:800.4.0-1.GA_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-fastinfoset-0:2.1.0-4.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-hibernate-0:6.2.31-1.Final_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-hibernate-validator-0:8.0.1-3.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-hppc-0:0.8.1-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-insights-java-client-0:1.1.3-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jakarta-servlet-jsp-jstl-api-0:3.0.1-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jboss-logging-0:3.5.3-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jctools-0:4.0.2-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jgroups-0:5.3.10-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-log4j-0:2.22.1-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-narayana-0:6.0.3-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-nimbus-jose-jwt-0:9.37.3-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-objectweb-asm-0:9.6.0-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-pem-keystore-0:2.3.0-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-resteasy-extensions-0:2.0.1-3.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-resteasy-spring-0:3.0.1-2.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-saaj-impl-0:3.0.4-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-shibboleth-java-support-0:8.0.0-6.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-slf4j-0:2.0.16-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-snakeyaml-0:2.2.0-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-wildfly-0:8.0.4-2.GA_redhat_00005.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
eap8-activemq-artemis-0:2.33.0-1.redhat_00015.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-activemq-artemis-native-1:2.0.0-2.redhat_00005.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-aesh-extensions-0:1.8.0-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-aesh-readline-0:2.2.0-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-commons-codec-0:1.16.1-2.redhat_00007.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-commons-collections-0:3.2.2-28.redhat_2.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-commons-io-0:2.15.1-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-commons-lang-0:3.14.0-2.redhat_00006.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-cxf-0:4.0.5-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-artemis-native-1:2.0.0-2.redhat_00005.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-artemis-wildfly-integration-0:2.0.1-1.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-asyncutil-0:0.1.0-2.redhat_00010.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-aws-java-sdk-0:1.12.284-2.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-cryptacular-0:1.2.5-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-eap-product-conf-parent-0:800.4.0-1.GA_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-fastinfoset-0:2.1.0-4.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-hibernate-0:6.2.31-1.Final_redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-hibernate-validator-0:8.0.1-3.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-hppc-0:0.8.1-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-insights-java-client-0:1.1.3-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jakarta-servlet-jsp-jstl-api-0:3.0.1-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jboss-logging-0:3.5.3-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jctools-0:4.0.2-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jgroups-0:5.3.10-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-log4j-0:2.22.1-1.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-narayana-0:6.0.3-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-nimbus-jose-jwt-0:9.37.3-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-objectweb-asm-0:9.6.0-1.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-pem-keystore-0:2.3.0-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-resteasy-extensions-0:2.0.1-3.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-resteasy-spring-0:3.0.1-2.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-saaj-impl-0:3.0.4-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-shibboleth-java-support-0:8.0.0-6.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-slf4j-0:2.0.16-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-snakeyaml-0:2.2.0-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-wildfly-0:8.0.4-2.GA_redhat_00005.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/07/18/4
https://github.com/advisories/GHSA-4mgg-fqfq-64hg
https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6
https://nvd.nist.gov/vuln/detail/CVE-2024-41172
https://osv.dev/vulnerability/GHSA-4mgg-fqfq-64hg
https://security.netapp.com/advisory/ntap-20240808-0008/
https://www.cve.org/CVERecord?id=CVE-2024-41172

History

Thu, 17 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics	threat_severity `Low`	threat_severity `Moderate`

Wed, 06 Nov 2024 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform:8.0 cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8 cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
Vendors & Products		Redhat jboss Enterprise Application Platform

Wed, 25 Sep 2024 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat camel Quarkus
CPEs		cpe:/a:redhat:camel_quarkus:3.8
Vendors & Products		Redhat Redhat camel Quarkus

Fri, 13 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2024/07/18/4

Thu, 08 Aug 2024 13:30:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20240808-0008/
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-07-19T08:50:43.766Z

Updated: 2024-09-13T17:05:12.209Z

Reserved: 2024-07-17T13:38:34.414Z

Link: CVE-2024-41172

Vulnrichment

Updated: 2024-09-13T17:05:12.209Z

NVD

Status : Modified

Published: 2024-07-19T09:15:05.640

Modified: 2024-11-21T09:32:20.520

Link: CVE-2024-41172

Redhat

Severity : Moderate

Publid Date: 2024-07-19T00:00:00Z

Links: CVE-2024-41172 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41172", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-07-17T13:38:34.414Z", "datePublished": "2024-07-19T08:50:43.766Z", "dateUpdated": "2024-09-13T17:05:12.209Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache CXF", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.6.4, 4.0.5", "status": "affected", "version": "3.6.0, 4.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory<br>"}], "value": "In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory\n"}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-19T08:50:43.766Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache CXF: Unrestricted memory consumption in CXF HTTP clients", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "apache", "product": "cxf", "cpes": ["cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "3.6.0", "status": "affected", "lessThan": "3.6.4", "versionType": "semver"}, {"version": "4.0.0", "status": "affected", "lessThan": "4.0.5", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-23T17:58:41.172215Z", "id": "CVE-2024-41172", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T18:59:47.054Z"}}, {"title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6"}, {"url": "https://security.netapp.com/advisory/ntap-20240808-0008/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/18/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T17:05:12.209Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240808-0008/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/18/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T17:05:12.209Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-41172", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-23T17:58:41.172215Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "cxf", "versions": [{"status": "affected", "version": "3.6.0", "lessThan": "3.6.4", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.5", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T18:04:13.602Z"}}], "cna": {"title": "Apache CXF: Unrestricted memory consumption in CXF HTTP clients", "source": {"discovery": "UNKNOWN"}, "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache CXF", "versions": [{"status": "affected", "version": "3.6.0, 4.0.0", "lessThan": "3.6.4, 4.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory\n", "supportingMedia": [{"type": "text/html", "value": "In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-19T08:50:43.766Z"}}}, "cveMetadata": {"cveId": "CVE-2024-41172", "state": "PUBLISHED", "dateUpdated": "2024-09-13T17:05:12.209Z", "dateReserved": "2024-07-17T13:38:34.414Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-07-19T08:50:43.766Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D6F6603-DD23-4DD5-8B90-0BAB0EB7E1D1", "versionEndExcluding": "3.6.4", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACAFECF5-75A5-4397-A588-F51D09717335", "versionEndExcluding": "4.0.5", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory\n"}, {"lang": "es", "value": "En las versiones de Apache CXF anteriores a 3.6.4 y 4.0.5 (las versiones 3.5.x y inferiores no se ven afectadas), un conducto de cliente HTTP de CXF puede impedir que las instancias de HTTPClient se recopilen como basura y es posible que el consumo de memoria contin\u00fae aumentando eventualmente causando que la aplicaci\u00f3n se quede sin memoria."}], "id": "CVE-2024-41172", "lastModified": "2024-11-21T09:32:20.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-19T09:15:05.640", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/07/18/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240808-0008/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:7052", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "org.apache.cxf/cxf-rt-transports-http", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:8826", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "org.apache.cxf/cxf-rt-transports-http", "product_name": "Red Hat JBoss Enterprise Application Platform 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-activemq-artemis-0:2.33.0-1.redhat_00015.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-activemq-artemis-native-1:2.0.0-2.redhat_00005.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-aesh-extensions-0:1.8.0-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-aesh-readline-0:2.2.0-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-commons-codec-0:1.16.1-2.redhat_00007.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-commons-collections-0:3.2.2-28.redhat_2.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-commons-io-0:2.15.1-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-commons-lang-0:3.14.0-2.redhat_00006.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-cxf-0:4.0.5-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-artemis-native-1:2.0.0-2.redhat_00005.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-artemis-wildfly-integration-0:2.0.1-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-asyncutil-0:0.1.0-2.redhat_00010.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-aws-java-sdk-0:1.12.284-2.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-cryptacular-0:1.2.5-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-eap-product-conf-parent-0:800.4.0-1.GA_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-fastinfoset-0:2.1.0-4.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-hibernate-0:6.2.31-1.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-hibernate-validator-0:8.0.1-3.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-hppc-0:0.8.1-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-insights-java-client-0:1.1.3-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jakarta-servlet-jsp-jstl-api-0:3.0.1-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jboss-logging-0:3.5.3-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jctools-0:4.0.2-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jgroups-0:5.3.10-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-log4j-0:2.22.1-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-narayana-0:6.0.3-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-nimbus-jose-jwt-0:9.37.3-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-objectweb-asm-0:9.6.0-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-pem-keystore-0:2.3.0-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-resteasy-extensions-0:2.0.1-3.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-resteasy-spring-0:3.0.1-2.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-saaj-impl-0:3.0.4-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-shibboleth-java-support-0:8.0.0-6.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-slf4j-0:2.0.16-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-snakeyaml-0:2.2.0-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-wildfly-0:8.0.4-2.GA_redhat_00005.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-activemq-artemis-0:2.33.0-1.redhat_00015.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-activemq-artemis-native-1:2.0.0-2.redhat_00005.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-aesh-extensions-0:1.8.0-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-aesh-readline-0:2.2.0-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-codec-0:1.16.1-2.redhat_00007.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-collections-0:3.2.2-28.redhat_2.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-io-0:2.15.1-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-lang-0:3.14.0-2.redhat_00006.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-cxf-0:4.0.5-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-artemis-native-1:2.0.0-2.redhat_00005.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-artemis-wildfly-integration-0:2.0.1-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-asyncutil-0:0.1.0-2.redhat_00010.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-aws-java-sdk-0:1.12.284-2.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-cryptacular-0:1.2.5-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-eap-product-conf-parent-0:800.4.0-1.GA_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-fastinfoset-0:2.1.0-4.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hibernate-0:6.2.31-1.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hibernate-validator-0:8.0.1-3.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hppc-0:0.8.1-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-insights-java-client-0:1.1.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jakarta-servlet-jsp-jstl-api-0:3.0.1-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jboss-logging-0:3.5.3-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jctools-0:4.0.2-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jgroups-0:5.3.10-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-log4j-0:2.22.1-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-narayana-0:6.0.3-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-nimbus-jose-jwt-0:9.37.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-objectweb-asm-0:9.6.0-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-pem-keystore-0:2.3.0-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-resteasy-extensions-0:2.0.1-3.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-resteasy-spring-0:3.0.1-2.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-saaj-impl-0:3.0.4-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-shibboleth-java-support-0:8.0.0-6.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-slf4j-0:2.0.16-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-snakeyaml-0:2.2.0-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wildfly-0:8.0.4-2.GA_redhat_00005.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}], "bugzilla": {"description": "apache: cxf: org.apache.cxf:cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients", "id": "2298829", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298829"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-401", "details": ["In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory", "A memory consumption flaw was found in Apache CXF. This issue may allow a CXF HTTP client conduit to prevent HTTPClient instances from being garbage collected, eventually causing the application to run out of memory."], "name": "CVE-2024-41172", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "org.apache.cxf/cxf-rt-transports-http", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "org.apache.cxf/cxf-rt-transports-http", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "org.apache.cxf/cxf-rt-transports-http", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Will not fix", "package_name": "org.apache.cxf/cxf-rt-transports-http", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "org.apache.cxf/cxf-rt-transports-http", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "org.apache.cxf/cxf-rt-transports-http", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "org.apache.cxf/cxf-rt-transports-http", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "org.apache.cxf/cxf-rt-transports-http", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.apache.cxf/cxf-rt-transports-http", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "org.apache.cxf/cxf-rt-transports-http", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "org.apache.cxf/cxf-rt-transports-http", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2024-07-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-41172\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-41172\nhttps://github.com/advisories/GHSA-4mgg-fqfq-64hg\nhttps://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6\nhttps://osv.dev/vulnerability/GHSA-4mgg-fqfq-64hg"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object