Medium severity5.5NVD Advisory· Published Nov 14, 2017· Updated Jun 17, 2026
CVE-2017-12624
CVE-2017-12624
Description
Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxf-coreMaven | >= 3.2.0, < 3.2.1 | 3.2.1 |
org.apache.cxf:cxf-coreMaven | >= 3.1.0, < 3.1.14 | 3.1.14 |
org.apache.cxf:cxf-coreMaven | < 3.0.16 | 3.0.16 |
Affected products
3Patches
Vulnerability mechanics
References
25- cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.ascnvdIssue TrackingVendor AdvisoryWEB
- www.securityfocus.com/bid/101859nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1040486nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-7vgj-8mw4-hg8rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-12624ghsaADVISORY
- access.redhat.com/errata/RHSA-2018:2423nvdWEB
- access.redhat.com/errata/RHSA-2018:2424nvdWEB
- access.redhat.com/errata/RHSA-2018:2425nvdWEB
- access.redhat.com/errata/RHSA-2018:2428nvdWEB
- github.com/apache/cxf/commit/896bd961cbbb6b8569700e5b70229f78f94ad9dghsaWEB
- github.com/apache/cxf/commit/8bd915bfd7735c248ad660059c6b6ad26cdbcdf6ghsaWEB
- github.com/apache/cxf/commit/a2ce435cf0eedc8158d118d6d275114408d2a376ghsaWEB
- issues.apache.org/jira/browse/CXF-7507ghsaWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Envd
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3Envd
News mentions
0No linked articles in our index yet.