CVE-2019-12406
First published: Wed Nov 06 2019(Updated: )
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache CXF | <3.2.11 | |
| Apache CXF | >=3.3.0<3.3.4 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Retail Order Broker | =15.0 | |
| redhat/cxf | <3.3.4 | 3.3.4 |
| redhat/cxf | <3.2.11 | 3.2.11 |
| IBM Security Identity Manager Virtual Appliance | <=7.0.2 | |
| IBM Security Identity Manager Virtual Appliance | <=7.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-12406 https://nvd.nist.gov/vuln/detail/CVE-2019-12406
- https://bugzilla.redhat.com/show_bug.cgi?id=1816170
- https://access.redhat.com/errata/RHSA-2020:3196
- https://access.redhat.com/errata/RHSA-2020:5568
- https://access.redhat.com/errata/RHSA-2020:3197
- https://access.redhat.com/errata/RHSA-2020:2067
- https://access.redhat.com/security/cve/cve-2019-12406
- http://cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.asc
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r92238967ba2783d3ab5a483f2e17f5fdaa8ace98990f69f9e8e15de0@%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rabc395b38acb7f2465bfbf0bc16d6e1e95720c89bea87abe8808eeea@%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rb2a6dab1f781f55326543c56dc29ea677759439ddfeba920c83037e6@%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rca465c9d1e1969281338522b76701c85a07abd045c494261137236e0@%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1816172
- https://access.redhat.com/support/policy/updates/jboss_notesfor
- https://exchange.xforce.ibmcloud.com/vulnerabilities/170974
- https://www.ibm.com/support/pages/node/6242348 (Advisory)
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rb2a6dab1f781f55326543c56dc29ea677759439ddfeba920c83037e6%40%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r92238967ba2783d3ab5a483f2e17f5fdaa8ace98990f69f9e8e15de0%40%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rabc395b38acb7f2465bfbf0bc16d6e1e95720c89bea87abe8808eeea%40%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rca465c9d1e1969281338522b76701c85a07abd045c494261137236e0%40%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-12406?
CVE-2019-12406 is a vulnerability in Apache CXF that allows a malicious user to perform a denial of service attack by sending a message with a large number of attachments.
What is the severity of CVE-2019-12406?
The severity of CVE-2019-12406 is medium with a CVSS score of 6.5.
How does CVE-2019-12406 affect Apache CXF?
CVE-2019-12406 affects Apache CXF versions before 3.3.4 and 3.2.11, allowing a denial of service attack by exploiting the unrestricted number of message attachments.
How can I fix CVE-2019-12406?
To fix CVE-2019-12406, upgrade to Apache CXF version 3.3.4 or 3.2.11.
Where can I find more information about CVE-2019-12406?
More information about CVE-2019-12406 can be found at the following references: [link 1], [link 2], [link 3].
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/author
- agent/severity
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-12406
- agent/software-canonical-lookup
- agent/description
- agent/event
- collector/ibm-support
- source/IBM
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache cxf
- version/apache cxf/3.3.0
- vendor/oracle
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle retail order broker
- version/oracle retail order broker/15.0
- package-manager/redhat
- vendor/ibm
- canonical/ibm security identity manager virtual appliance
- version/ibm security identity manager virtual appliance/7.0.2
- version/ibm security identity manager virtual appliance/7.0.1