Latest apache cxf Vulnerabilities

CVE-2022-46364
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices tha...
redhat/Apache CXF<3.5.5
redhat/Apache CXF<3.4.10
redhat/eap7-apache-cxf<0:3.4.10-1.redhat_00001.1.el8ea
redhat/eap7-apache-cxf<0:3.4.10-1.redhat_00001.1.el9ea
redhat/eap7-apache-cxf<0:3.4.10-1.redhat_00001.1.el7ea
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el7
and 5 more
CVE-2022-46363
A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is conf...
maven/org.apache.cxf:cxf-core>=3.5.0<3.5.5
maven/org.apache.cxf:cxf-core<3.4.10
redhat/Apache CXF<3.5.5
redhat/Apache CXF<3.4.10
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el8
and 4 more
CVE-2021-40690
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from ...
maven/org.apache.santuario:xmlsec<2.1.7
maven/org.apache.santuario:xmlsec>=2.2.0<2.2.3
Apache Santuario XML Security for Java<2.1.7
Apache Santuario XML Security for Java>=2.2.0<2.2.3
Apache CXF=3.4.4
Apache TomEE<8.0.8
and 70 more
CVE-2021-30468
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CP...
Apache CXF<3.3.11
Apache CXF>=3.4.0<3.4.4
Apache TomEE=8.0.6
Oracle Business Intelligence=5.5.0.0.0
Oracle Business Intelligence=5.9.0.0.0
Oracle Business Intelligence=12.2.1.3.0
and 12 more
CVE-2021-22696
Apache CXF is vulnerable to a denial of service, caused by improper validation of request_uri parameter by the OAuth 2 authorization service. By sending a specially-crafted request, a remote attacker ...
Apache CXF<3.3.10
Apache CXF>=3.4.0<3.4.3
Oracle Business Intelligence=5.5.0.0.0
Oracle Business Intelligence=5.9.0.0.0
Oracle Business Intelligence=12.2.1.3.0
Oracle Business Intelligence=12.2.1.4.0
and 13 more
CVE-2020-13954
Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using the styleS...
Apache CXF<3.3.8
Apache CXF>=3.4.0<3.4.1
NetApp Snap Creator Framework
Netapp Vasa Provider For Clustered Data Ontap>=9.6
Oracle Business Intelligence=5.5.0.0.0
Oracle Business Intelligence=5.9.0.0.0
and 14 more
CVE-2020-1954
Apache CXF has the ability to integrate with JMX by registering an `InstrumentationManager` extension with the CXF bus. If the `createMBServerConnectorFactory` property of the default `Instrumentation...
maven/org.apache.cxf:cxf-rt-management>=3.3.0<3.3.6
maven/org.apache.cxf:cxf-rt-management<3.2.13
redhat/eap7-activemq-artemis<0:2.9.0-5.redhat_00011.1.el6ea
redhat/eap7-activemq-artemis-native<1:1.0.2-1.redhat_00001.1.el6ea
redhat/eap7-apache-commons-codec<0:1.14.0-1.redhat_00001.1.el6ea
redhat/eap7-apache-commons-lang<0:3.10.0-1.redhat_00001.1.el6ea
and 98 more
CVE-2019-17573
Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using a speciall...
redhat/eap7-activemq-artemis<0:2.9.0-4.redhat_00010.1.el6ea
redhat/eap7-apache-cxf<0:3.2.12-1.redhat_00001.1.el6ea
redhat/eap7-bouncycastle<0:1.60.0-2.redhat_00002.1.el6ea
redhat/eap7-codehaus-jackson<0:1.9.13-10.redhat_00007.1.el6ea
redhat/eap7-cryptacular<0:1.2.4-1.redhat_00001.1.el6ea
redhat/eap7-glassfish-el<0:3.0.1-5.b08_redhat_00004.1.el6ea
and 276 more
CVE-2019-12423
Apache CXF could allow a remote attacker to obtain sensitive information, caused by a flaw when ships with OpenId Connect JWK Keys service. By accessing the JWK keystore file, an attacker could exploi...
redhat/eap7-activemq-artemis<0:2.9.0-4.redhat_00010.1.el6ea
redhat/eap7-apache-cxf<0:3.2.12-1.redhat_00001.1.el6ea
redhat/eap7-bouncycastle<0:1.60.0-2.redhat_00002.1.el6ea
redhat/eap7-codehaus-jackson<0:1.9.13-10.redhat_00007.1.el6ea
redhat/eap7-cryptacular<0:1.2.4-1.redhat_00001.1.el6ea
redhat/eap7-glassfish-el<0:3.0.1-5.b08_redhat_00004.1.el6ea
and 282 more
CVE-2019-12406
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a maliciou...
Apache CXF<3.2.11
Apache CXF>=3.3.0<3.3.4
Oracle Commerce Guided Search=11.3.2
Oracle FLEXCUBE Private Banking=12.0.0
Oracle FLEXCUBE Private Banking=12.1.0
Oracle Retail Order Broker=15.0
and 9 more
CVE-2019-12419
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it doe...
redhat/cxf<3.3.4
redhat/cxf<3.2.11
Apache CXF>=3.2.0<3.2.11
Apache CXF>=3.3.0<3.3.4
Oracle Commerce Guided Search=11.3.2
Oracle Enterprise Manager Base Platform=13.2.1.0
and 3 more
CVE-2018-8039
A flaw was found in the way Apache CXF handle exceptions when CXF is configured to use the com.sun.net.ssl implementation via System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal...
Apache CXF<3.1.16
Apache CXF>=3.2.0<3.2.5
Redhat Jboss Enterprise Application Platform=7.1.0
maven/org.apache.cxf:apache-cxf<3.1.16
maven/org.apache.cxf:apache-cxf>=3.2.0<3.2.5
maven/org.apache.cxf:cxf<3.1.16
and 10 more

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203