Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.cxf/cxf-api@2.5.1

Type maven

Namespace org.apache.cxf

Name cxf-api

Version 2.5.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url VCID-darq-bg13-x3fd

vulnerability_id VCID-darq-bg13-x3fd

summary

Cross-site scripting in Apache CXF
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.

references

reference_url

http://cxf.apache.org/security-advisories.data/CVE-2020-13954.txt.asc?version=1&modificationDate=1605183670659&api=v2

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://cxf.apache.org/security-advisories.data/CVE-2020-13954.txt.asc?version=1&modificationDate=1605183670659&api=v2

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-13954.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-13954.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-13954

reference_id

reference_type

scores

value	0.08411
scoring_system	epss
scoring_elements	0.92326
published_at	2026-04-09T12:55:00Z

value	0.08411
scoring_system	epss
scoring_elements	0.92321
published_at	2026-04-08T12:55:00Z

value	0.08411
scoring_system	epss
scoring_elements	0.9231
published_at	2026-04-07T12:55:00Z

value	0.08411
scoring_system	epss
scoring_elements	0.92307
published_at	2026-04-04T12:55:00Z

value	0.08411
scoring_system	epss
scoring_elements	0.92294
published_at	2026-04-01T12:55:00Z

value	0.08411
scoring_system	epss
scoring_elements	0.92301
published_at	2026-04-02T12:55:00Z

value	0.08411
scoring_system	epss
scoring_elements	0.92331
published_at	2026-04-13T12:55:00Z

value	0.08411
scoring_system	epss
scoring_elements	0.92333
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-13954

reference_url

https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec@%3Cannounce.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec@%3Cannounce.apache.org%3E

reference_url

https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec@%3Cdev.cxf.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec@%3Cdev.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec@%3Cusers.cxf.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec@%3Cusers.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/r640719c9ce5671f239a6f002c20e14062effe4b318a580b6746aa5ef@%3Cdev.syncope.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/r640719c9ce5671f239a6f002c20e14062effe4b318a580b6746aa5ef@%3Cdev.syncope.apache.org%3E

reference_url

https://lists.apache.org/thread.html/r81a41a2915985d49bc3ea57dde2018b03584a863878a8532a89f993f@%3Cusers.cxf.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/r81a41a2915985d49bc3ea57dde2018b03584a863878a8532a89f993f@%3Cusers.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-13954

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-13954

reference_url

https://security.netapp.com/advisory/ntap-20210513-0010

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210513-0010

reference_url	https://security.netapp.com/advisory/ntap-20210513-0010/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20210513-0010/

reference_url

https://www.oracle.com/security-alerts/cpuApr2021.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuApr2021.html

reference_url

https://www.oracle.com/security-alerts/cpuapr2022.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuapr2022.html

reference_url

https://www.oracle.com/security-alerts/cpujan2021.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujan2021.html

reference_url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_url

http://www.openwall.com/lists/oss-security/2020/11/12/2

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2020/11/12/2

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1898235
reference_id	1898235
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1898235

reference_url

https://github.com/advisories/GHSA-64x2-gq24-75pv

reference_id

GHSA-64x2-gq24-75pv

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-64x2-gq24-75pv

reference_url	https://access.redhat.com/errata/RHSA-2021:3205
reference_id	RHSA-2021:3205
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3205

fixed_packages

url	pkg:maven/org.apache.cxf/cxf-api@3.3.8
purl	pkg:maven/org.apache.cxf/cxf-api@3.3.8
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/cxf-api@3.3.8

url	pkg:maven/org.apache.cxf/cxf-api@3.4.1
purl	pkg:maven/org.apache.cxf/cxf-api@3.4.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/cxf-api@3.4.1

aliases CVE-2020-13954, GHSA-64x2-gq24-75pv

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-darq-bg13-x3fd

url VCID-n8bd-use6-pbb2

vulnerability_id VCID-n8bd-use6-pbb2

summary Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action String that is inconsistent with the message body.

references

reference_url

http://rhn.redhat.com/errata/RHSA-2012-1591.html

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2012-1591.html

reference_url

http://rhn.redhat.com/errata/RHSA-2012-1592.html

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2012-1592.html

reference_url

http://rhn.redhat.com/errata/RHSA-2012-1594.html

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2012-1594.html

reference_url

http://rhn.redhat.com/errata/RHSA-2013-0256.html

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2013-0256.html

reference_url

http://rhn.redhat.com/errata/RHSA-2013-0257.html

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2013-0257.html

reference_url

http://rhn.redhat.com/errata/RHSA-2013-0258.html

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2013-0258.html

reference_url

http://rhn.redhat.com/errata/RHSA-2013-0259.html

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2013-0259.html

reference_url

http://rhn.redhat.com/errata/RHSA-2013-0726.html

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2013-0726.html

reference_url

http://rhn.redhat.com/errata/RHSA-2013-0743.html

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2013-0743.html

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3451.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3451.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2012-3451

reference_id

reference_type

scores

value	0.09969
scoring_system	epss
scoring_elements	0.9304
published_at	2026-04-13T12:55:00Z

value	0.09969
scoring_system	epss
scoring_elements	0.93012
published_at	2026-04-01T12:55:00Z

value	0.09969
scoring_system	epss
scoring_elements	0.93021
published_at	2026-04-02T12:55:00Z

value	0.09969
scoring_system	epss
scoring_elements	0.93025
published_at	2026-04-04T12:55:00Z

value	0.09969
scoring_system	epss
scoring_elements	0.93024
published_at	2026-04-07T12:55:00Z

value	0.09969
scoring_system	epss
scoring_elements	0.93032
published_at	2026-04-08T12:55:00Z

value	0.09969
scoring_system	epss
scoring_elements	0.93037
published_at	2026-04-09T12:55:00Z

value	0.09969
scoring_system	epss
scoring_elements	0.93041
published_at	2026-04-11T12:55:00Z

value	0.09969
scoring_system	epss
scoring_elements	0.93039
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2012-3451

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=851896

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=851896

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3451
reference_id
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3451

reference_url	http://secunia.com/advisories/51607
reference_id
reference_type
scores
url	http://secunia.com/advisories/51607

reference_url	http://secunia.com/advisories/52183
reference_id
reference_type
scores
url	http://secunia.com/advisories/52183

reference_url

https://exchange.xforce.ibmcloud.com/vulnerabilities/78734

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://exchange.xforce.ibmcloud.com/vulnerabilities/78734

reference_url

https://github.com/apache/cxf

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/cxf

reference_url

https://github.com/apache/cxf/commit/7230648f96573820d5bfa82c92c637391b448897

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/cxf/commit/7230648f96573820d5bfa82c92c637391b448897

reference_url

https://github.com/apache/cxf/commit/878fe37f0b09888a42005fedc725ce497b5a694a

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/cxf/commit/878fe37f0b09888a42005fedc725ce497b5a694a

reference_url

https://github.com/apache/cxf/commit/9c70abe28fbf2b4c4df0b93ed12295ea5a012554

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/cxf/commit/9c70abe28fbf2b4c4df0b93ed12295ea5a012554

reference_url

https://github.com/apache/cxf/commit/deeeaa95a861b355068ca6febc7aa02a4a8c51e5

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/cxf/commit/deeeaa95a861b355068ca6febc7aa02a4a8c51e5

reference_url

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

reference_url

http://svn.apache.org/viewvc?view=revision&revision=1368559

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://svn.apache.org/viewvc?view=revision&revision=1368559

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:cxf::::::::
reference_id	cpe:2.3:a:apache:cxf::::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:cxf::::::::

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2012-3451

reference_id

CVE-2012-3451

reference_type

scores

value	4.3
scoring_system	cvssv2
scoring_elements	AV:N/AC:M/Au:N/C:N/I:P/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2012-3451

reference_url

http://cxf.apache.org/cve-2012-3451.html

reference_id

CVE-2012-3451.HTML

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://cxf.apache.org/cve-2012-3451.html

reference_url

https://github.com/advisories/GHSA-55j7-f5wf-43m4

reference_id

GHSA-55j7-f5wf-43m4

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-55j7-f5wf-43m4

reference_url	https://access.redhat.com/errata/RHSA-2012:1591
reference_id	RHSA-2012:1591
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2012:1591

reference_url	https://access.redhat.com/errata/RHSA-2012:1592
reference_id	RHSA-2012:1592
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2012:1592

reference_url	https://access.redhat.com/errata/RHSA-2012:1594
reference_id	RHSA-2012:1594
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2012:1594

reference_url	https://access.redhat.com/errata/RHSA-2013:0256
reference_id	RHSA-2013:0256
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2013:0256

reference_url	https://access.redhat.com/errata/RHSA-2013:0257
reference_id	RHSA-2013:0257
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2013:0257

reference_url	https://access.redhat.com/errata/RHSA-2013:0258
reference_id	RHSA-2013:0258
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2013:0258

reference_url	https://access.redhat.com/errata/RHSA-2013:0259
reference_id	RHSA-2013:0259
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2013:0259

reference_url	https://access.redhat.com/errata/RHSA-2013:0726
reference_id	RHSA-2013:0726
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2013:0726

reference_url	https://access.redhat.com/errata/RHSA-2013:0743
reference_id	RHSA-2013:0743
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2013:0743

fixed_packages

url pkg:maven/org.apache.cxf/cxf-api@2.5.5

purl pkg:maven/org.apache.cxf/cxf-api@2.5.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-darq-bg13-x3fd

vulnerability	VCID-u5sk-1a1u-zuex

vulnerability	VCID-x3q1-vymh-jkew

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/cxf-api@2.5.5

url pkg:maven/org.apache.cxf/cxf-api@2.6.2

purl pkg:maven/org.apache.cxf/cxf-api@2.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-darq-bg13-x3fd

vulnerability	VCID-u5sk-1a1u-zuex

vulnerability	VCID-x3q1-vymh-jkew

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/cxf-api@2.6.2

aliases CVE-2012-3451, GHSA-55j7-f5wf-43m4

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n8bd-use6-pbb2

url VCID-u5sk-1a1u-zuex

vulnerability_id VCID-u5sk-1a1u-zuex

summary

Denial of Service Attacks on Apache CXF
The streaming XML parser in this package remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of elements, attributes, nested constructs, and possibly other vectors.

references

reference_url

http://jira.codehaus.org/browse/WSTX-285

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://jira.codehaus.org/browse/WSTX-285

reference_url

http://jira.codehaus.org/browse/WSTX-287

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://jira.codehaus.org/browse/WSTX-287

reference_url

http://rhn.redhat.com/errata/RHSA-2013-1028.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2013-1028.html

reference_url

http://rhn.redhat.com/errata/RHSA-2013-1437.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2013-1437.html

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-2160.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-2160.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2013-2160

reference_id

reference_type

scores

value	0.12253
scoring_system	epss
scoring_elements	0.9385
published_at	2026-04-13T12:55:00Z

value	0.12253
scoring_system	epss
scoring_elements	0.93813
published_at	2026-04-01T12:55:00Z

value	0.12253
scoring_system	epss
scoring_elements	0.93822
published_at	2026-04-02T12:55:00Z

value	0.12253
scoring_system	epss
scoring_elements	0.93831
published_at	2026-04-04T12:55:00Z

value	0.12253
scoring_system	epss
scoring_elements	0.93833
published_at	2026-04-07T12:55:00Z

value	0.12253
scoring_system	epss
scoring_elements	0.93842
published_at	2026-04-08T12:55:00Z

value	0.12253
scoring_system	epss
scoring_elements	0.93845
published_at	2026-04-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2013-2160

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=929197

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=929197

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2160
reference_id
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2160

reference_url

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2013-2160

reference_id

CVE-2013-2160

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2013-2160

reference_url	http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc
reference_id	CVE-2013-2160;OSVDB-95011
reference_type	exploit
scores
url	http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/dos/26710.txt
reference_id	CVE-2013-2160;OSVDB-95011
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/dos/26710.txt

reference_url

https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc

reference_id

CVE-2013-2160.TXT.ASC

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc

reference_url

https://github.com/advisories/GHSA-254q-rp36-v2m8

reference_id

GHSA-254q-rp36-v2m8

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-254q-rp36-v2m8

reference_url	https://access.redhat.com/errata/RHSA-2013:1028
reference_id	RHSA-2013:1028
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2013:1028

reference_url	https://access.redhat.com/errata/RHSA-2013:1185
reference_id	RHSA-2013:1185
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2013:1185

reference_url	https://access.redhat.com/errata/RHSA-2013:1437
reference_id	RHSA-2013:1437
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2013:1437

fixed_packages

url pkg:maven/org.apache.cxf/cxf-api@2.5.10

purl pkg:maven/org.apache.cxf/cxf-api@2.5.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-darq-bg13-x3fd

vulnerability	VCID-x3q1-vymh-jkew

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/cxf-api@2.5.10

url pkg:maven/org.apache.cxf/cxf-api@2.6.7

purl pkg:maven/org.apache.cxf/cxf-api@2.6.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-darq-bg13-x3fd

vulnerability	VCID-x3q1-vymh-jkew

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/cxf-api@2.6.7

url pkg:maven/org.apache.cxf/cxf-api@2.7.4

purl pkg:maven/org.apache.cxf/cxf-api@2.7.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-darq-bg13-x3fd

vulnerability	VCID-x3q1-vymh-jkew

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/cxf-api@2.7.4

aliases CVE-2013-2160, GHSA-254q-rp36-v2m8

risk_score 10.0

exploitability 2.0

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u5sk-1a1u-zuex

url

VCID-x3q1-vymh-jkew

vulnerability_id

VCID-x3q1-vymh-jkew

summary

Authorization service vulnerable to DDos attacks in Apache CFX
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22696.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22696.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22696

reference_id

reference_type

scores

value	0.01971
scoring_system	epss
scoring_elements	0.83539
published_at	2026-04-13T12:55:00Z

value	0.01971
scoring_system	epss
scoring_elements	0.83543
published_at	2026-04-12T12:55:00Z

value	0.01971
scoring_system	epss
scoring_elements	0.83549
published_at	2026-04-11T12:55:00Z

value	0.01971
scoring_system	epss
scoring_elements	0.83534
published_at	2026-04-09T12:55:00Z

value	0.01971
scoring_system	epss
scoring_elements	0.83524
published_at	2026-04-08T12:55:00Z

value	0.01971
scoring_system	epss
scoring_elements	0.835
published_at	2026-04-07T12:55:00Z

value	0.01971
scoring_system	epss
scoring_elements	0.83501
published_at	2026-04-04T12:55:00Z

value	0.01971
scoring_system	epss
scoring_elements	0.83474
published_at	2026-04-01T12:55:00Z

value	0.01971
scoring_system	epss
scoring_elements	0.83486
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22696

reference_url

https://cxf.apache.org/security-advisories.data/CVE-2021-22696.txt.asc

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://cxf.apache.org/security-advisories.data/CVE-2021-22696.txt.asc

reference_url

https://github.com/apache/cxf

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/cxf

reference_url

https://github.com/apache/cxf/commit/40503a53914758759894f704bbf139ae89ace286

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/cxf/commit/40503a53914758759894f704bbf139ae89ace286

reference_url

https://github.com/apache/cxf/commit/aa789c5c4686597a7bdef2443909ab491fc2bc04

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/cxf/commit/aa789c5c4686597a7bdef2443909ab491fc2bc04

reference_url

https://lists.apache.org/thread.html/r6445001cc5f9a2bb1e6316993753306e054bdd1d702656b7cbe59045@%3Cannounce.apache.org%3E

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/r6445001cc5f9a2bb1e6316993753306e054bdd1d702656b7cbe59045@%3Cannounce.apache.org%3E

reference_url

https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914@%3Cdev.cxf.apache.org%3E

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914@%3Cdev.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914@%3Cusers.cxf.apache.org%3E

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914@%3Cusers.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E

reference_url

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-22696

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22696

reference_url

https://www.oracle.com/security-alerts/cpuapr2022.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuapr2022.html

reference_url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_url

http://www.openwall.com/lists/oss-security/2021/04/02/2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/04/02/2

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1946341
reference_id	1946341
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1946341

reference_url

https://github.com/advisories/GHSA-7q4h-pj78-j7vg

reference_id

GHSA-7q4h-pj78-j7vg

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7q4h-pj78-j7vg

reference_url	https://access.redhat.com/errata/RHSA-2021:5134
reference_id	RHSA-2021:5134
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:5134

reference_url	https://access.redhat.com/errata/RHSA-2022:7273
reference_id	RHSA-2022:7273
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:7273

fixed_packages

aliases

CVE-2021-22696, GHSA-7q4h-pj78-j7vg

risk_score

4.0

exploitability

0.5

weighted_severity

8.0

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-x3q1-vymh-jkew

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/cxf-api@2.5.1

Package Instance