Maven package
org.apache.cxf/cxf
pkg:maven/org.apache.cxf/cxf
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-30468 | — | >= 3.4.0, < 3.4.4 | 3.4.4 | Jun 16, 2021 | A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CX | ||
| CVE-2021-22696 | — | >= 3.4.0, < 3.4.3 | 3.4.3 | Apr 2, 2021 | CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports | ||
| CVE-2020-13954 | — | < 3.3.8 | 3.3.8 | Nov 12, 2020 | By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web | ||
| CVE-2019-17573 | — | < 3.2.12 | 3.2.12 | Jan 16, 2020 | By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that | ||
| CVE-2019-12423 | — | < 3.2.12 | 3.2.12 | Jan 16, 2020 | Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) | ||
| CVE-2019-12419 | — | < 3.2.11 | 3.2.11 | Nov 6, 2019 | Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied | ||
| CVE-2019-12406 | — | < 3.2.11 | 3.2.11 | Nov 6, 2019 | Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. F | ||
| CVE-2012-0803 | Cri | 9.8 | >= 2.4.0, < 2.4.6 | 2.4.6 | Aug 8, 2017 | The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty UsernameToken as part of a SOAP request. | |
| CVE-2012-5633 | — | < 2.5.8 | 2.5.8 | Mar 12, 2013 | The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to obtain access to SOAP services via an HTTP GET request. | ||
| CVE-2012-2378 | — | >= 2.4.5, < 2.4.8 | 2.4.8 | Jan 5, 2013 | Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedE | ||
| CVE-2012-2379 | — | >= 2.4.0, < 2.4.8 | 2.4.8 | Jan 3, 2013 | Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element is signed or encrypted, which has unspecified impact and attack vectors. | ||
| CVE-2012-3451 | — | < 2.4.9 | 2.4.9 | Sep 24, 2012 | Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action String that is inconsistent with the message body. |
- CVE-2021-30468Jun 16, 2021affected >= 3.4.0, < 3.4.4fixed 3.4.4
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CX
- CVE-2021-22696Apr 2, 2021affected >= 3.4.0, < 3.4.3fixed 3.4.3
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports
- CVE-2020-13954Nov 12, 2020affected < 3.3.8fixed 3.3.8
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web
- CVE-2019-17573Jan 16, 2020affected < 3.2.12fixed 3.2.12
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that
- CVE-2019-12423Jan 16, 2020affected < 3.2.12fixed 3.2.12
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12)
- CVE-2019-12419Nov 6, 2019affected < 3.2.11fixed 3.2.11
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied
- CVE-2019-12406Nov 6, 2019affected < 3.2.11fixed 3.2.11
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. F
- affected >= 2.4.0, < 2.4.6fixed 2.4.6
The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty UsernameToken as part of a SOAP request.
- CVE-2012-5633Mar 12, 2013affected < 2.5.8fixed 2.5.8
The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to obtain access to SOAP services via an HTTP GET request.
- CVE-2012-2378Jan 5, 2013affected >= 2.4.5, < 2.4.8fixed 2.4.8
Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedE
- CVE-2012-2379Jan 3, 2013affected >= 2.4.0, < 2.4.8fixed 2.4.8
Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element is signed or encrypted, which has unspecified impact and attack vectors.
- CVE-2012-3451Sep 24, 2012affected < 2.4.9fixed 2.4.9
Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action String that is inconsistent with the message body.