Search for packages
| purl | pkg:maven/org.apache.cxf/cxf-core@3.0.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-669s-jgrm-efgg
Aliases: CVE-2018-8039 GHSA-jc7r-v6fg-2gpf |
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks. |
Affected by 10 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-6nvj-sh6e-q3h3
Aliases: CVE-2017-5653 GHSA-hgg6-8x62-m9gf |
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. |
Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-b3sp-rdja-cuf5
Aliases: CVE-2025-48795 GHSA-36wv-v2qp-v4g4 |
Apache CXF is vulnerable to DoS attacks as entire files are read into memory and logged Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted. Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-d68d-u8dc-r3be
Aliases: CVE-2019-12406 GHSA-58p8-9g59-q2hr |
Potential DOS attack due to unrestricted attachment count in messages Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count". |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-darq-bg13-x3fd
Aliases: CVE-2020-13954 GHSA-64x2-gq24-75pv |
Cross-site scripting in Apache CXF By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-edja-kj1j-7kh5
Aliases: CVE-2019-12423 GHSA-42f2-f9vc-6365 |
Private key leak in Apache CXF Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter `rs.security.keystore.type` to `jwk`. For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. `oct` keys, which contain secret keys, are not returned at all. |
Affected by 9 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-efw6-swgm-4fbc
Aliases: CVE-2024-28752 GHSA-qmgx-j96g-4428 |
SSRF vulnerability using the Aegis DataBinding in Apache CXF A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-fekg-fn5e-augk
Aliases: CVE-2020-1954 GHSA-ffm7-7r8g-77xm |
Exposure of Sensitive Information to an Unauthorized Actor in Apache CXF Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-j1db-vh8s-6yaz
Aliases: CVE-2016-6812 GHSA-vw2c-5wph-v92r |
The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client. |
Affected by 14 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-sb6r-52yp-x7g5
Aliases: CVE-2017-12624 GHSA-7vgj-8mw4-hg8r |
Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size". |
Affected by 12 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-tw87-3mzf-8uem
Aliases: CVE-2017-5656 GHSA-v936-x3j5-c76j |
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user. |
Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-vatr-ygcg-f3au
Aliases: CVE-2015-5253 GHSA-3336-h95j-hvvf |
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack." |
Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-x3q1-vymh-jkew
Aliases: CVE-2021-22696 GHSA-7q4h-pj78-j7vg |
Authorization service vulnerable to DDos attacks in Apache CFX CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-xzs8-rbhd-mkbp
Aliases: CVE-2022-46363 GHSA-3w37-5p3p-jv92 |
Apache CXF vulnerable to Exposure of Sensitive Information A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-y8up-mkx2-abcn
Aliases: CVE-2022-46364 GHSA-x3x3-qwjq-8gj4 |
Apache CXF Server-Side Request Forgery vulnerability A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-yqr6-8zk9-4fgv
Aliases: CVE-2016-8739 GHSA-x7xf-253v-x3w8 |
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk. |
Affected by 14 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-ytk3-rjrf-wfh9
Aliases: CVE-2025-23184 GHSA-fh5r-crhr-qrrq |
Apache CXF: Denial of Service vulnerability with temporary files A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients). |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||