VulnerableCode Package Details - pkg:maven/org.apache.cxf/apache-cxf@3.1.18

Search for packages

Vulnerability	Summary	Fixed by
VCID-64k6-5enf-abgu Aliases: CVE-2020-13954 GHSA-64x2-gq24-75pv	Cross-site scripting in Apache CXF By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.	3.3.8 Affected by 0 other vulnerabilities. 3.4.1 Affected by 0 other vulnerabilities.
VCID-7w7b-5v75-4qd9 Aliases: CVE-2019-12423 GHSA-42f2-f9vc-6365	Private key leak in Apache CXF Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter `rs.security.keystore.type` to `jwk`. For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. `oct` keys, which contain secret keys, are not returned at all.	3.2.12 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.3.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-h4gn-4zp9-jyh5 Aliases: CVE-2019-17573 GHSA-f93p-f762-vr53	Reflected Cross-Site Scripting in Apache CXF By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.	3.2.12 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.3.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-vd5r-76hv-3bbv Aliases: CVE-2019-12406 GHSA-58p8-9g59-q2hr	Potential DOS attack due to unrestricted attachment count in messages Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".	3.2.11 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.3.4 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-64k6-5enf-abgu
Aliases:
CVE-2020-13954
GHSA-64x2-gq24-75pv

Cross-site scripting in Apache CXF By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.

3.3.8
Affected by 0 other vulnerabilities.

3.4.1
Affected by 0 other vulnerabilities.

VCID-7w7b-5v75-4qd9
Aliases:
CVE-2019-12423
GHSA-42f2-f9vc-6365

Private key leak in Apache CXF Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter `rs.security.keystore.type` to `jwk`. For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. `oct` keys, which contain secret keys, are not returned at all.

3.2.12
Affected by 1 other vulnerability.

3.3.5
Affected by 1 other vulnerability.

VCID-h4gn-4zp9-jyh5
Aliases:
CVE-2019-17573
GHSA-f93p-f762-vr53

Reflected Cross-Site Scripting in Apache CXF By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.

3.2.12
Affected by 1 other vulnerability.

3.3.5
Affected by 1 other vulnerability.

VCID-vd5r-76hv-3bbv
Aliases:
CVE-2019-12406
GHSA-58p8-9g59-q2hr

Potential DOS attack due to unrestricted attachment count in messages Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".

3.2.11
Affected by 3 other vulnerabilities.

3.3.4
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T09:52:33.406523+00:00	GitLab Importer	Affected by	VCID-64k6-5enf-abgu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/apache-cxf/CVE-2020-13954.yml	37.0.0
2025-08-01T09:33:19.981103+00:00	GitLab Importer	Affected by	VCID-h4gn-4zp9-jyh5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/apache-cxf/CVE-2019-17573.yml	37.0.0
2025-08-01T09:32:32.865617+00:00	GitLab Importer	Affected by	VCID-7w7b-5v75-4qd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/apache-cxf/CVE-2019-12423.yml	37.0.0
2025-08-01T09:26:32.954730+00:00	GitLab Importer	Affected by	VCID-vd5r-76hv-3bbv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.cxf/apache-cxf/CVE-2019-12406.yml	37.0.0