Maven package
org.apache.cxf/apache-cxf
pkg:maven/org.apache.cxf/apache-cxf
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-30468 | — | >= 3.4.0, < 3.4.4 | 3.4.4 | Jun 16, 2021 | A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CX | ||
| CVE-2021-22696 | — | >= 3.4.0, < 3.4.3 | 3.4.3 | Apr 2, 2021 | CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports | ||
| CVE-2020-13954 | — | < 3.3.8 | 3.3.8 | Nov 12, 2020 | By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web | ||
| CVE-2019-17573 | — | < 3.2.12 | 3.2.12 | Jan 16, 2020 | By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that | ||
| CVE-2019-12423 | — | < 3.2.12 | 3.2.12 | Jan 16, 2020 | Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) | ||
| CVE-2019-12406 | — | < 3.2.11 | 3.2.11 | Nov 6, 2019 | Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. F | ||
| CVE-2018-8039 | — | >= 3.2.0, < 3.2.5 | 3.2.5 | Jul 2, 2018 | It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work w |
- CVE-2021-30468Jun 16, 2021affected >= 3.4.0, < 3.4.4fixed 3.4.4
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CX
- CVE-2021-22696Apr 2, 2021affected >= 3.4.0, < 3.4.3fixed 3.4.3
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports
- CVE-2020-13954Nov 12, 2020affected < 3.3.8fixed 3.3.8
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web
- CVE-2019-17573Jan 16, 2020affected < 3.2.12fixed 3.2.12
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that
- CVE-2019-12423Jan 16, 2020affected < 3.2.12fixed 3.2.12
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12)
- CVE-2019-12406Nov 6, 2019affected < 3.2.11fixed 3.2.11
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. F
- CVE-2018-8039Jul 2, 2018affected >= 3.2.0, < 3.2.5fixed 3.2.5
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work w