VulnerableCode Package Details - pkg:maven/org.apache.cxf/cxf@3.4.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-2w4b-at7v-jfew Aliases: CVE-2021-40690 GHSA-j8wc-gxx9-82hx	All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.	3.4.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-3tb8-jrjz-b7fw Aliases: CVE-2022-46364 GHSA-x3x3-qwjq-8gj4	Apache CXF Server-Side Request Forgery vulnerability A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.	3.4.10 Affected by 0 other vulnerabilities. 3.5.5 Affected by 0 other vulnerabilities.
VCID-qjqy-9ypz-8bgz Aliases: CVE-2022-46363 GHSA-3w37-5p3p-jv92	Apache CXF vulnerable to Exposure of Sensitive Information A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.	3.4.10 Affected by 0 other vulnerabilities. 3.5.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2w4b-at7v-jfew
Aliases:
CVE-2021-40690
GHSA-j8wc-gxx9-82hx

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

3.4.5
Affected by 2 other vulnerabilities.

VCID-3tb8-jrjz-b7fw
Aliases:
CVE-2022-46364
GHSA-x3x3-qwjq-8gj4

Apache CXF Server-Side Request Forgery vulnerability A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.

3.4.10
Affected by 0 other vulnerabilities.

3.5.5
Affected by 0 other vulnerabilities.

VCID-qjqy-9ypz-8bgz
Aliases:
CVE-2022-46363
GHSA-3w37-5p3p-jv92

Apache CXF vulnerable to Exposure of Sensitive Information A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.

3.4.10
Affected by 0 other vulnerabilities.

3.5.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-nm3a-xq11-sudn	Infinite loop in Apache CFX A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.	CVE-2021-30468 GHSA-g23v-p5jq-jvh4

Vulnerability

Summary

Aliases

VCID-nm3a-xq11-sudn

Infinite loop in Apache CFX A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.

CVE-2021-30468
GHSA-g23v-p5jq-jvh4

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T10:56:16.030915+00:00	GitLab Importer	Affected by	VCID-qjqy-9ypz-8bgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf/CVE-2022-46363.yml	37.0.0
2025-08-01T10:56:06.643585+00:00	GitLab Importer	Affected by	VCID-3tb8-jrjz-b7fw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf/CVE-2022-46364.yml	37.0.0
2025-07-31T12:30:30.390528+00:00	GHSA Importer	Fixing	VCID-nm3a-xq11-sudn	https://github.com/advisories/GHSA-g23v-p5jq-jvh4	37.0.0
2025-07-31T09:24:53.897782+00:00	GitLab Importer	Affected by	VCID-2w4b-at7v-jfew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/cxf/CVE-2021-40690.yml	37.0.0
2025-07-31T09:00:55.500577+00:00	GithubOSV Importer	Fixing	VCID-nm3a-xq11-sudn	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-g23v-p5jq-jvh4/GHSA-g23v-p5jq-jvh4.json	37.0.0