{"url":"http://public2.vulnerablecode.io/api/packages/62152?format=json","purl":"pkg:maven/org.apache.cxf/cxf-core@3.1.8","type":"maven","namespace":"org.apache.cxf","name":"cxf-core","version":"3.1.8","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.1.9","latest_non_vulnerable_version":"4.0.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38758?format=json","vulnerability_id":"VCID-3w9n-4sux-vyh5","summary":"Cross-site Scripting\nThe HTTP transport module in Apache CXF uses `FormattedServiceListWriter` to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current `HttpServletRequest` which is used by `FormattedServiceListWriter` to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2017:0868","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:0868"},{"reference_url":"https://issues.apache.org/jira/browse/CXF-6216","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/CXF-6216"},{"reference_url":"https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"http://www.securityfocus.com/bid/97582","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/97582"},{"reference_url":"http://www.securitytracker.com/id/1037543","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1037543"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-6812","reference_id":"CVE-2016-6812","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-6812"},{"reference_url":"http://cxf.apache.org/security-advisories.data/CVE-2016-6812.txt.asc","reference_id":"CVE-2016-6812.TXT.ASC","reference_type":"","scores":[],"url":"http://cxf.apache.org/security-advisories.data/CVE-2016-6812.txt.asc"},{"reference_url":"https://github.com/advisories/GHSA-vw2c-5wph-v92r","reference_id":"GHSA-vw2c-5wph-v92r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vw2c-5wph-v92r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62154?format=json","purl":"pkg:maven/org.apache.cxf/cxf-core@3.1.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/cxf-core@3.1.9"}],"aliases":["CVE-2016-6812","GHSA-vw2c-5wph-v92r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3w9n-4sux-vyh5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43361?format=json","vulnerability_id":"VCID-wk5d-6usk-yyh2","summary":"Improper Restriction of XML External Entity Reference\nThe JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2017:0868","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:0868"},{"reference_url":"https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-8739","reference_id":"CVE-2016-8739","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-8739"},{"reference_url":"http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc","reference_id":"CVE-2016-8739.TXT.ASC","reference_type":"","scores":[],"url":"http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc"},{"reference_url":"https://github.com/advisories/GHSA-x7xf-253v-x3w8","reference_id":"GHSA-x7xf-253v-x3w8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x7xf-253v-x3w8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62154?format=json","purl":"pkg:maven/org.apache.cxf/cxf-core@3.1.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/cxf-core@3.1.9"}],"aliases":["CVE-2016-8739","GHSA-x7xf-253v-x3w8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wk5d-6usk-yyh2"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf/cxf-core@3.1.8"}