Lucene search

K
cvelistApacheCVELIST:CVE-2024-28752
HistoryMar 15, 2024 - 10:27 a.m.

CVE-2024-28752 Apache CXF SSRF Vulnerability using the Aegis databinding

2024-03-1510:27:30
CWE-918
apache
www.cve.org
12
apache cxf
ssrf
vulnerability
aegis databinding

AI Score

6.5

Confidence

Low

EPSS

0.001

Percentile

26.4%

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "packageName": "org.apache.cxf.aegis",
    "product": "Apache CXF",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "4.0.4, 3.6.3, 3.5.8",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

AI Score

6.5

Confidence

Low

EPSS

0.001

Percentile

26.4%