Critical severityNVD Advisory· Published Mar 15, 2024· Updated Feb 13, 2025
Apache CXF SSRF Vulnerability using the Aegis databinding
CVE-2024-28752
Description
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxf-rt-databinding-aegisMaven | < 3.5.8 | 3.5.8 |
org.apache.cxf:cxf-rt-databinding-aegisMaven | >= 3.6.0, < 3.6.3 | 3.6.3 |
org.apache.cxf:cxf-rt-databinding-aegisMaven | >= 4.0.0, < 4.0.4 | 4.0.4 |
Affected products
126- osv-coords125 versionspkg:apk/chainguard/opensearch-2pkg:apk/chainguard/opensearch-2-alertingpkg:apk/chainguard/opensearch-2-analysis-icupkg:apk/chainguard/opensearch-2-analysis-kuromojipkg:apk/chainguard/opensearch-2-analysis-noripkg:apk/chainguard/opensearch-2-analysis-phoneticpkg:apk/chainguard/opensearch-2-analysis-smartcnpkg:apk/chainguard/opensearch-2-analysis-stempelpkg:apk/chainguard/opensearch-2-analysis-ukrainianpkg:apk/chainguard/opensearch-2-anomaly-detectionpkg:apk/chainguard/opensearch-2-asynchronous-searchpkg:apk/chainguard/opensearch-2-cross-cluster-replicationpkg:apk/chainguard/opensearch-2-crypto-kmspkg:apk/chainguard/opensearch-2-custom-codecspkg:apk/chainguard/opensearch-2-discovery-azure-classicpkg:apk/chainguard/opensearch-2-discovery-ec2pkg:apk/chainguard/opensearch-2-discovery-gcepkg:apk/chainguard/opensearch-2-entrypoint-compatpkg:apk/chainguard/opensearch-2-geospatialpkg:apk/chainguard/opensearch-2-identity-shiropkg:apk/chainguard/opensearch-2-index-managementpkg:apk/chainguard/opensearch-2-ingest-attachmentpkg:apk/chainguard/opensearch-2-job-schedulerpkg:apk/chainguard/opensearch-2-jre-bcfipspkg:apk/chainguard/opensearch-2-jre-bcfips-alertingpkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-icupkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-kuromojipkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-noripkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-phoneticpkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-smartcnpkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-stempelpkg:apk/chainguard/opensearch-2-jre-bcfips-analysis-ukrainianpkg:apk/chainguard/opensearch-2-jre-bcfips-anomaly-detectionpkg:apk/chainguard/opensearch-2-jre-bcfips-asynchronous-searchpkg:apk/chainguard/opensearch-2-jre-bcfips-cross-cluster-replicationpkg:apk/chainguard/opensearch-2-jre-bcfips-crypto-kmspkg:apk/chainguard/opensearch-2-jre-bcfips-custom-codecspkg:apk/chainguard/opensearch-2-jre-bcfips-discovery-azure-classicpkg:apk/chainguard/opensearch-2-jre-bcfips-discovery-ec2pkg:apk/chainguard/opensearch-2-jre-bcfips-discovery-gcepkg:apk/chainguard/opensearch-2-jre-bcfips-geospatialpkg:apk/chainguard/opensearch-2-jre-bcfips-identity-shiropkg:apk/chainguard/opensearch-2-jre-bcfips-index-managementpkg:apk/chainguard/opensearch-2-jre-bcfips-ingest-attachmentpkg:apk/chainguard/opensearch-2-jre-bcfips-job-schedulerpkg:apk/chainguard/opensearch-2-jre-bcfips-k-nnpkg:apk/chainguard/opensearch-2-jre-bcfips-mapper-annotated-textpkg:apk/chainguard/opensearch-2-jre-bcfips-mapper-murmur3pkg:apk/chainguard/opensearch-2-jre-bcfips-mapper-sizepkg:apk/chainguard/opensearch-2-jre-bcfips-ml-commonspkg:apk/chainguard/opensearch-2-jre-bcfips-neural-searchpkg:apk/chainguard/opensearch-2-jre-bcfips-notificationspkg:apk/chainguard/opensearch-2-jre-bcfips-observabilitypkg:apk/chainguard/opensearch-2-jre-bcfips-performance-analyzerpkg:apk/chainguard/opensearch-2-jre-bcfips-reportingpkg:apk/chainguard/opensearch-2-jre-bcfips-repository-azurepkg:apk/chainguard/opensearch-2-jre-bcfips-repository-gcspkg:apk/chainguard/opensearch-2-jre-bcfips-repository-s3pkg:apk/chainguard/opensearch-2-jre-bcfips-securitypkg:apk/chainguard/opensearch-2-jre-bcfips-security-analyticspkg:apk/chainguard/opensearch-2-jre-bcfips-sqlpkg:apk/chainguard/opensearch-2-jre-bcfips-store-smbpkg:apk/chainguard/opensearch-2-jre-bcfips-telemetry-otelpkg:apk/chainguard/opensearch-2-jre-bcfips-transport-niopkg:apk/chainguard/opensearch-2-k-nnpkg:apk/chainguard/opensearch-2-mapper-annotated-textpkg:apk/chainguard/opensearch-2-mapper-murmur3pkg:apk/chainguard/opensearch-2-mapper-sizepkg:apk/chainguard/opensearch-2-ml-commonspkg:apk/chainguard/opensearch-2-neural-searchpkg:apk/chainguard/opensearch-2-notificationspkg:apk/chainguard/opensearch-2-observabilitypkg:apk/chainguard/opensearch-2-performance-analyzerpkg:apk/chainguard/opensearch-2-reportingpkg:apk/chainguard/opensearch-2-repository-azurepkg:apk/chainguard/opensearch-2-repository-gcspkg:apk/chainguard/opensearch-2-repository-s3pkg:apk/chainguard/opensearch-2-securitypkg:apk/chainguard/opensearch-2-security-analyticspkg:apk/chainguard/opensearch-2-sqlpkg:apk/chainguard/opensearch-2-store-smbpkg:apk/chainguard/opensearch-2-telemetry-otelpkg:apk/chainguard/opensearch-2-transport-niopkg:apk/wolfi/opensearch-2pkg:apk/wolfi/opensearch-2-alertingpkg:apk/wolfi/opensearch-2-analysis-icupkg:apk/wolfi/opensearch-2-analysis-kuromojipkg:apk/wolfi/opensearch-2-analysis-noripkg:apk/wolfi/opensearch-2-analysis-phoneticpkg:apk/wolfi/opensearch-2-analysis-smartcnpkg:apk/wolfi/opensearch-2-analysis-stempelpkg:apk/wolfi/opensearch-2-analysis-ukrainianpkg:apk/wolfi/opensearch-2-anomaly-detectionpkg:apk/wolfi/opensearch-2-asynchronous-searchpkg:apk/wolfi/opensearch-2-cross-cluster-replicationpkg:apk/wolfi/opensearch-2-crypto-kmspkg:apk/wolfi/opensearch-2-custom-codecspkg:apk/wolfi/opensearch-2-discovery-azure-classicpkg:apk/wolfi/opensearch-2-discovery-ec2pkg:apk/wolfi/opensearch-2-discovery-gcepkg:apk/wolfi/opensearch-2-geospatialpkg:apk/wolfi/opensearch-2-identity-shiropkg:apk/wolfi/opensearch-2-index-managementpkg:apk/wolfi/opensearch-2-ingest-attachmentpkg:apk/wolfi/opensearch-2-job-schedulerpkg:apk/wolfi/opensearch-2-k-nnpkg:apk/wolfi/opensearch-2-mapper-annotated-textpkg:apk/wolfi/opensearch-2-mapper-murmur3pkg:apk/wolfi/opensearch-2-mapper-sizepkg:apk/wolfi/opensearch-2-ml-commonspkg:apk/wolfi/opensearch-2-neural-searchpkg:apk/wolfi/opensearch-2-notificationspkg:apk/wolfi/opensearch-2-observabilitypkg:apk/wolfi/opensearch-2-performance-analyzerpkg:apk/wolfi/opensearch-2-reportingpkg:apk/wolfi/opensearch-2-repository-azurepkg:apk/wolfi/opensearch-2-repository-gcspkg:apk/wolfi/opensearch-2-repository-s3pkg:apk/wolfi/opensearch-2-securitypkg:apk/wolfi/opensearch-2-security-analyticspkg:apk/wolfi/opensearch-2-sqlpkg:apk/wolfi/opensearch-2-store-smbpkg:apk/wolfi/opensearch-2-telemetry-otelpkg:apk/wolfi/opensearch-2-transport-niopkg:maven/org.apache.cxf/cxf-rt-databinding-aegis
< 2.13.0-r0+ 124 more
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.14.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 2.13.0-r0
- (no CPE)range: < 3.5.8
Patches
Vulnerability mechanics
References
7- cxf.apache.org/security-advisories.data/CVE-2024-28752.txtghsavendor-advisoryWEB
- github.com/advisories/GHSA-qmgx-j96g-4428ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28752ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/03/14/3ghsaWEB
- github.com/apache/cxf/commit/d0baeb3ee64c6d7c883bd2f5c4cb0de6b0b5f463ghsaWEB
- security.netapp.com/advisory/ntap-20240517-0001ghsaWEB
- security.netapp.com/advisory/ntap-20240517-0001/mitre
News mentions
0No linked articles in our index yet.