CVE-2013-2160 – org.apache.cxf:cxf-rt-frontend-jaxrs

Package

Manager: maven
Name: org.apache.cxf:cxf-rt-frontend-jaxrs
Vulnerable Version: >=2.5.0 <2.5.10 || >=2.6.0 <2.6.7 || >=2.7.0 <2.7.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.203 pctl0.95305

Details

Missing XML Validation in Apache CXF The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors.

Metadata

Created: 2022-05-13T01:09:20Z
Modified: 2022-07-08T19:08:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-254q-rp36-v2m8/GHSA-254q-rp36-v2m8.json
CWE IDs: ["CWE-112"]
Alternative ID: GHSA-254q-rp36-v2m8
Finding: F014
Auto approve: 1