{"url":"http://public2.vulnerablecode.io/api/packages/56867?format=json","purl":"pkg:maven/org.apache.cxf/apache-cxf@3.1.16","type":"maven","namespace":"org.apache.cxf","name":"apache-cxf","version":"3.1.16","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"3.2.5","latest_non_vulnerable_version":"3.3.11","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40032?format=json","vulnerability_id":"VCID-bfaf-hqw5-13fd","summary":"Improper Handling of Exceptional Conditions\nIt is possible to configure Apache CXF to use the `com.sun.net.ssl` implementation via `System.setProperty`. When this system property is set, CXF uses some reflection to try to make the `HostnameVerifier` work with the old `com.sun.net.ssl.HostnameVerifier` interface. However, the default `HostnameVerifier` implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the `com.sun.net.ssl` stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2276","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2276"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2277","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2277"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2279","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2279"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2423","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2423"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2424","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2424"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2425","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2425"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2428","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2428"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2643","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2643"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:3768","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:3768"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:3817","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:3817"},{"reference_url":"https://github.com/apache/cxf","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/cxf"},{"reference_url":"https://github.com/apache/cxf/commit/8ed6208f987ff72e4c4d2cf8a6b1ec9b27575d4","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/cxf/commit/8ed6208f987ff72e4c4d2cf8a6b1ec9b27575d4"},{"reference_url":"https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b"},{"reference_url":"https://lists.apache.org/thread.html/1f8ff31df204ad0374ab26ad333169e0387a5e7ec92422f337431866@%3Cdev.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/1f8ff31df204ad0374ab26ad333169e0387a5e7ec92422f337431866@%3Cdev.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2020.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2020.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"reference_url":"http://www.securitytracker.com/id/1041199","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1041199"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-8039","reference_id":"CVE-2018-8039","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-8039"},{"reference_url":"https://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc","reference_id":"CVE-2018-8039.TXT.ASC","reference_type":"","scores":[],"url":"https://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc"},{"reference_url":"https://github.com/advisories/GHSA-jc7r-v6fg-2gpf","reference_id":"GHSA-jc7r-v6fg-2gpf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jc7r-v6fg-2gpf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56867?format=json","purl":"pkg:maven/org.apache.cxf/apache-cxf@3.1.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/apache-cxf@3.1.16"},{"url":"http://public2.vulnerablecode.io/api/packages/56866?format=json","purl":"pkg:maven/org.apache.cxf/apache-cxf@3.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/apache-cxf@3.2.5"}],"aliases":["CVE-2018-8039","GHSA-jc7r-v6fg-2gpf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bfaf-hqw5-13fd"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/apache-cxf@3.1.16"}