CVE-2024-32007 – org.apache.cxf:cxf-rt-rs-security-jose

Package

Manager: maven
Name: org.apache.cxf:cxf-rt-rs-security-jose
Vulnerable Version: >=4.0.0 <4.0.5 || >=3.6.0 <3.6.4 || >=0 <3.5.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00172 pctl0.38975

Details

Apache CXF Denial of Service vulnerability in JOSE An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token. 

Metadata

Created: 2024-07-19T09:32:06Z
Modified: 2024-07-19T18:34:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-6pff-fmh2-4mmf/GHSA-6pff-fmh2-4mmf.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-6pff-fmh2-4mmf
Finding: F184
Auto approve: 1