CVE-2024-32007

2024-07-1909:15:04

CWE-400

CWE-20

apache

web.nvd.nist.gov

improper input validation

apache cxf jose

denial of service

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

27.0%

JSON

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.

Affected configurations

Nvd

Vulners

Vulnrichment

Node

apachecxfRange<3.5.9

apachecxfRange3.6.0–3.6.4

apachecxfRange4.0.0–4.0.5

VendorProductVersionCPE
apachecxf*cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	cxf	*	cpe:2.3:a:apache:cxf::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "packageName": "org.apache.cxf.rs.security.jose",
    "product": "Apache CXF",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "4.0.5, 3.6.4, 3.5.9",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]