Search for packages
| purl | pkg:maven/org.apache.cxf/cxf-core@3.0.0-milestone1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6b2t-76tu-aaaa
Aliases: CVE-2024-28752 GHSA-qmgx-j96g-4428 |
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-a56m-3xft-aaap
Aliases: CVE-2017-5656 GHSA-v936-x3j5-c76j |
Session Fixation Apache CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user. |
Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-dkhn-89pe-aaan
Aliases: CVE-2016-8739 GHSA-x7xf-253v-x3w8 |
CVE-2016-8739 apache-cxf: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE |
Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-eqe5-wr57-aaar
Aliases: CVE-2022-46363 GHSA-3w37-5p3p-jv92 |
Apache CXF vulnerable to Exposure of Sensitive Information |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-gjyt-m1m5-aaas
Aliases: CVE-2016-6812 GHSA-vw2c-5wph-v92r |
Cross-site Scripting The HTTP transport module in Apache CXF uses `FormattedServiceListWriter` to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current `HttpServletRequest` which is used by `FormattedServiceListWriter` to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client. |
Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-gtfj-ry3n-aaae
Aliases: CVE-2020-13954 GHSA-64x2-gq24-75pv |
Cross-site scripting in Apache CXF |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-h2se-g2gp-77fk
Aliases: CVE-2025-23184 GHSA-fh5r-crhr-qrrq |
org.apache.cxf: Apache CXF: Denial of Service vulnerability with temporary files |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jv7g-f1zc-aaas
Aliases: CVE-2017-12624 GHSA-7vgj-8mw4-hg8r |
Uncontrolled Resource Consumption It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. |
Affected by 10 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-krfe-wrvk-aaap
Aliases: CVE-2018-8039 GHSA-jc7r-v6fg-2gpf |
High severity vulnerability that affects org.apache.cxf:apache-cxf, org.apache.cxf:apache-cxf , and org.apache.cxf:cxf |
Affected by 9 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-shw4-mwht-aaan
Aliases: CVE-2022-46364 GHSA-x3x3-qwjq-8gj4 |
Apache CXF Server-Side Request Forgery vulnerability |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-td3d-v749-aaac
Aliases: CVE-2017-5653 GHSA-hgg6-8x62-m9gf |
Improper Certificate Validation JAX-RS XML Security streaming clients in Apache CXF does not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. |
Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-v7tx-bnp9-aaag
Aliases: CVE-2019-12423 GHSA-42f2-f9vc-6365 |
Private key leak in Apache CXF |
Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-za5z-5gde-aaaj
Aliases: CVE-2019-12406 GHSA-58p8-9g59-q2hr |
Potential DOS attack due to unrestricted attachment count in messages |
Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-zggp-qr1y-aaaf
Aliases: CVE-2021-22696 GHSA-7q4h-pj78-j7vg |
Authorization service vulnerable to DDos attacks in Apache CFX |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-zncz-6mqe-aaan
Aliases: CVE-2020-1954 GHSA-ffm7-7r8g-77xm |
Exposure of Sensitive Information to an Unauthorized Actor in Apache CXF |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||