Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.apache.cxf/apache-cxf@3.4.3
purl pkg:maven/org.apache.cxf/apache-cxf@3.4.3
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-x3q1-vymh-jkew Authorization service vulnerable to DDos attacks in Apache CFX CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10. CVE-2021-22696
GHSA-7q4h-pj78-j7vg

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-02T16:56:41.421860+00:00 GHSA Importer Fixing VCID-x3q1-vymh-jkew https://github.com/advisories/GHSA-7q4h-pj78-j7vg 38.1.0
2026-04-01T13:02:34.024828+00:00 GithubOSV Importer Fixing VCID-x3q1-vymh-jkew https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-7q4h-pj78-j7vg/GHSA-7q4h-pj78-j7vg.json 38.0.0