Fluid Attacks Database

Description

Apache CXF Denial of Service vulnerability in JOSE An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.apache.cxf:cxf-rt-rs-security-jose	>=4.0.0 <4.0.5 \|\| >=3.6.0 <3.6.4 \|\| >=0 <3.5.9	4.0.5, 3.6.4, 3.5.9

Aliases

1. CVE-2024-320072. NVD-2024-320073. OSV-2024-320074. GCVE-2024-32007

References

1. https://github.com/apache/cxf/commit/20793d3fed2e73e2785a58ec5b47403306ae4a5c2. https://github.com/apache/cxf/commit/2d2baa3455db7439bf1ed4e00edfc5a7106edf7d3. https://github.com/apache/cxf/commit/d1d77c34c199c2c87ebcfe23e3c81dccfe2e24734. https://lists.apache.org/thread/stwrgsr1llb73nkl16klv9vjqgmmx633

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.