VulnerableCode Package Details - pkg:maven/org.apache.cxf/cxf-api@2.7.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-darq-bg13-x3fd Aliases: CVE-2020-13954 GHSA-64x2-gq24-75pv	Cross-site scripting in Apache CXF By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.	3.3.8 Affected by 0 other vulnerabilities. 3.4.1 Affected by 0 other vulnerabilities.
VCID-x3q1-vymh-jkew Aliases: CVE-2021-22696 GHSA-7q4h-pj78-j7vg	Authorization service vulnerable to DDos attacks in Apache CFX CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-darq-bg13-x3fd
Aliases:
CVE-2020-13954
GHSA-64x2-gq24-75pv

Cross-site scripting in Apache CXF By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.

3.3.8
Affected by 0 other vulnerabilities.

3.4.1
Affected by 0 other vulnerabilities.

VCID-x3q1-vymh-jkew
Aliases:
CVE-2021-22696
GHSA-7q4h-pj78-j7vg

Authorization service vulnerable to DDos attacks in Apache CFX CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
VCID-u5sk-1a1u-zuex	Denial of Service Attacks on Apache CXF The streaming XML parser in this package remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of elements, attributes, nested constructs, and possibly other vectors.	CVE-2013-2160 GHSA-254q-rp36-v2m8

Vulnerability

Summary

Aliases

VCID-u5sk-1a1u-zuex

Denial of Service Attacks on Apache CXF The streaming XML parser in this package remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of elements, attributes, nested constructs, and possibly other vectors.

CVE-2013-2160
GHSA-254q-rp36-v2m8

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-11T22:32:28.407707+00:00	GitLab Importer	Affected by	VCID-x3q1-vymh-jkew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf-api/CVE-2021-22696.yml	38.3.0
2026-04-11T22:25:49.976521+00:00	GitLab Importer	Affected by	VCID-darq-bg13-x3fd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf-api/CVE-2020-13954.yml	38.3.0
2026-04-11T21:41:12.795322+00:00	GitLab Importer	Fixing	VCID-u5sk-1a1u-zuex	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf-api/CVE-2013-2160.yml	38.3.0
2026-04-02T22:43:43.320564+00:00	GitLab Importer	Affected by	VCID-x3q1-vymh-jkew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf-api/CVE-2021-22696.yml	38.1.0
2026-04-02T22:37:36.253804+00:00	GitLab Importer	Affected by	VCID-darq-bg13-x3fd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf-api/CVE-2020-13954.yml	38.1.0
2026-04-02T21:55:22.447141+00:00	GitLab Importer	Fixing	VCID-u5sk-1a1u-zuex	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf-api/CVE-2013-2160.yml	38.1.0
2026-04-01T17:01:29.653212+00:00	GitLab Importer	Affected by	VCID-x3q1-vymh-jkew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf-api/CVE-2021-22696.yml	38.0.0
2026-04-01T16:54:55.613333+00:00	GitLab Importer	Affected by	VCID-darq-bg13-x3fd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf-api/CVE-2020-13954.yml	38.0.0
2026-04-01T12:46:50.028027+00:00	GitLab Importer	Fixing	VCID-u5sk-1a1u-zuex	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf-api/CVE-2013-2160.yml	38.0.0