Search for packages
| purl | pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxrs@2.7.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-ay9n-qxb3-qucj
Aliases: CVE-2014-3584 GHSA-gw5j-77f9-v2g2 |
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service. |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-darq-bg13-x3fd
Aliases: CVE-2020-13954 GHSA-64x2-gq24-75pv |
Cross-site scripting in Apache CXF By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-u5sk-1a1u-zuex
Aliases: CVE-2013-2160 GHSA-254q-rp36-v2m8 |
Denial of Service Attacks on Apache CXF The streaming XML parser in this package remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of elements, attributes, nested constructs, and possibly other vectors. |
Affected by 3 other vulnerabilities. |
|
VCID-x3q1-vymh-jkew
Aliases: CVE-2021-22696 GHSA-7q4h-pj78-j7vg |
Authorization service vulnerable to DDos attacks in Apache CFX CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-akr4-z7v7-9qbc | Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element. |
CVE-2013-0239
GHSA-p5c5-6564-vvr8 |