CVE-2024-28752: Apache CXF SSRF Vulnerability using the Aegis databinding
First published: Thu Mar 14 2024(Updated: )
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.cxf:cxf-core | >=4.0.0<4.0.4 | 4.0.4 |
| maven/org.apache.cxf:cxf-core | >=3.6.0<3.6.3 | 3.6.3 |
| maven/org.apache.cxf:cxf-core | <3.5.8 | 3.5.8 |
| redhat/cxf-core | <3.5.8 | 3.5.8 |
| redhat/cxf-core | <3.6.3 | 3.6.3 |
| redhat/cxf-core | <4.0.4 | 4.0.4 |
| IBM QRadar SIEM | <=7.5 - 7.5.0 UP9 IF03 | |
| IBM QRadar Incident Forensics | <=7.5 - 7.5.0 UP9 IF03 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2024/03/14/3
- https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt
- https://security.netapp.com/advisory/ntap-20240517-0001/
- https://nvd.nist.gov/vuln/detail/CVE-2024-28752
- https://security.netapp.com/advisory/ntap-20240517-0001
- https://github.com/advisories/GHSA-qmgx-j96g-4428 (Advisory)
- https://access.redhat.com/errata/RHSA-2024:3559
- https://access.redhat.com/errata/RHSA-2024:3561
- https://access.redhat.com/errata/RHSA-2024:3560
- https://access.redhat.com/errata/RHSA-2024:3563
- https://access.redhat.com/errata/RHSA-2024:3708
- https://access.redhat.com/errata/RHSA-2024:5482
- https://access.redhat.com/errata/RHSA-2024:5479
- https://access.redhat.com/errata/RHSA-2024:5481
- https://access.redhat.com/errata/RHSA-2024:8339
- https://access.redhat.com/errata/RHSA-2024:10208
- https://access.redhat.com/errata/RHSA-2024:10207
- https://bugzilla.redhat.com/show_bug.cgi?id=2270732
- https://www.ibm.com/support/pages/node/7173420 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-28752?
CVE-2024-28752 is classified as a high-severity SSRF vulnerability affecting certain versions of Apache CXF.
How do I fix CVE-2024-28752?
To fix CVE-2024-28752, upgrade Apache CXF to version 4.0.4, 3.6.3, or 3.5.8 or later.
Which versions of Apache CXF are affected by CVE-2024-28752?
CVE-2024-28752 affects versions of Apache CXF prior to 4.0.4, 3.6.3, and 3.5.8.
What type of attack does CVE-2024-28752 enable?
CVE-2024-28752 enables Server Side Request Forgery (SSRF) attacks on web services.
Are any other software products impacted by CVE-2024-28752?
Yes, IBM's QRadar SIEM and QRadar Incident Forensics are also impacted by CVE-2024-28752.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-28752
- agent/title
- agent/first-publish-date
- agent/type
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/softwarecombine
- agent/description
- agent/weakness
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-qmgx-j96g-4428
- agent/software-canonical-lookup
- agent/severity
- agent/event
- collector/github-advisory
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/maven
- package-manager/redhat
- vendor/ibm
- canonical/ibm qradar siem
- version/ibm qradar siem/7.5 - 7.5.0 up9 if03
- canonical/ibm qradar incident forensics
- version/ibm qradar incident forensics/7.5 - 7.5.0 up9 if03