Search for packages
| purl | pkg:maven/org.apache.cxf/cxf-api@2.5.3 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-darq-bg13-x3fd
Aliases: CVE-2020-13954 GHSA-64x2-gq24-75pv |
Cross-site scripting in Apache CXF By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-n8bd-use6-pbb2
Aliases: CVE-2012-3451 GHSA-55j7-f5wf-43m4 |
Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action String that is inconsistent with the message body. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-u5sk-1a1u-zuex
Aliases: CVE-2013-2160 GHSA-254q-rp36-v2m8 |
Denial of Service Attacks on Apache CXF The streaming XML parser in this package remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of elements, attributes, nested constructs, and possibly other vectors. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-x3q1-vymh-jkew
Aliases: CVE-2021-22696 GHSA-7q4h-pj78-j7vg |
Authorization service vulnerable to DDos attacks in Apache CFX CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||