CVE-2017-12624 – org.apache.cxf:cxf-core

Package

Manager: maven
Name: org.apache.cxf:cxf-core
Vulnerable Version: =3.2.0 || >=3.2.0 <3.2.1 || >=3.1.0 <3.1.14 || >=0 <3.0.16

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02297 pctl0.84125

Details

Improper Input Validation in Apache CXF Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

Metadata

Created: 2022-05-13T01:09:20Z
Modified: 2022-07-01T20:31:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vgj-8mw4-hg8r/GHSA-7vgj-8mw4-hg8r.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-7vgj-8mw4-hg8r
Finding: F184
Auto approve: 1