CVE-2024-41172 – org.apache.cxf:cxf-rt-transports-http

Package

Manager: maven
Name: org.apache.cxf:cxf-rt-transports-http
Vulnerable Version: >=4.0.0 <4.0.5 || >=3.6.0 <3.6.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00449 pctl0.62725

Details

Apache CXF allows unrestricted memory consumption in CXF HTTP clients In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory

Metadata

Created: 2024-07-19T09:32:06Z
Modified: 2024-11-18T16:26:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-4mgg-fqfq-64hg/GHSA-4mgg-fqfq-64hg.json
CWE IDs: ["CWE-401"]
Alternative ID: GHSA-4mgg-fqfq-64hg
Finding: F067
Auto approve: 1