VYPR
Medium severity5.5NVD Advisory· Published Nov 14, 2017· Updated Jun 17, 2026

CVE-2017-12624

CVE-2017-12624

Description

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.cxf:cxf-coreMaven
>= 3.2.0, < 3.2.13.2.1
org.apache.cxf:cxf-coreMaven
>= 3.1.0, < 3.1.143.1.14
org.apache.cxf:cxf-coreMaven
< 3.0.163.0.16

Affected products

3

Patches

Vulnerability mechanics

References

25

News mentions

0

No linked articles in our index yet.