Maven package
org.apache.cxf/cxf-core
pkg:maven/org.apache.cxf/cxf-core
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-48795 | — | < 3.5.11 | 3.5.11 | Jul 15, 2025 | Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing | ||
| CVE-2025-23184 | — | < 3.5.10 | 3.5.10 | Jan 21, 2025 | A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and client | ||
| CVE-2022-46364 | — | < 3.4.10 | 3.4.10 | Dec 13, 2022 | A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. | ||
| CVE-2022-46363 | — | < 3.4.10 | 3.4.10 | Dec 13, 2022 | A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. | ||
| CVE-2017-12624 | Med | 5.5 | >= 3.2.0, < 3.2.1 | 3.2.1 | Nov 14, 2017 | Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnera | |
| CVE-2016-8739 | Hig | 7.5 | < 3.0.12 | 3.0.12 | Aug 10, 2017 | The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk. | |
| CVE-2016-6812 | Med | 6.1 | < 3.0.12 | 3.0.12 | Aug 10, 2017 | The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpS | |
| CVE-2017-5656 | Hig | 7.5 | >= 3.1.0, < 3.1.11 | 3.1.11 | Apr 18, 2017 | Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user. | |
| CVE-2017-5653 | Med | 5.3 | >= 3.1.0, < 3.1.11 | 3.1.11 | Apr 18, 2017 | JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. | |
| CVE-2014-0035 | — | < 2.6.13 | 2.6.13 | Jul 7, 2014 | The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive informati | ||
| CVE-2014-0110 | — | < 2.6.14 | 2.6.14 | May 8, 2014 | Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large invalid SOAP message. | ||
| CVE-2014-0109 | — | < 2.6.14 | 2.6.14 | May 8, 2014 | Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (memory consumption) via a large request with the Content-Type set to text/html to a SOAP endpoint, which triggers an error. |
- CVE-2025-48795Jul 15, 2025affected < 3.5.11fixed 3.5.11
Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing
- CVE-2025-23184Jan 21, 2025affected < 3.5.10fixed 3.5.10
A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and client
- CVE-2022-46364Dec 13, 2022affected < 3.4.10fixed 3.4.10
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
- CVE-2022-46363Dec 13, 2022affected < 3.4.10fixed 3.4.10
A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes.
- affected >= 3.2.0, < 3.2.1fixed 3.2.1
Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnera
- affected < 3.0.12fixed 3.0.12
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
- affected < 3.0.12fixed 3.0.12
The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpS
- affected >= 3.1.0, < 3.1.11fixed 3.1.11
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
- affected >= 3.1.0, < 3.1.11fixed 3.1.11
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.
- CVE-2014-0035Jul 7, 2014affected < 2.6.13fixed 2.6.13
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive informati
- CVE-2014-0110May 8, 2014affected < 2.6.14fixed 2.6.14
Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large invalid SOAP message.
- CVE-2014-0109May 8, 2014affected < 2.6.14fixed 2.6.14
Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (memory consumption) via a large request with the Content-Type set to text/html to a SOAP endpoint, which triggers an error.