Lucene search

GitHub Advisory DatabaseGHSA-4MGG-FQFQ-64HG

HistoryJul 19, 2024 - 9:32 a.m.

Apache CXF allows unrestricted memory consumption in CXF HTTP clients

2024-07-1909:32:06

CWE-401

GitHub Advisory Database

github.com

apache cxf

http client

memory consumption

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

38.6%

JSON

In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory

Affected configurations

Vulners

Node

org.apache.cxf\Matchcxf-rt-management

VendorProductVersionCPE
*org.apache.cxf\cxf-rt-managementcpe:2.3:a:*:org.apache.cxf\:cxf-rt-management:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	org.apache.cxf\	cxf-rt-management	cpe:2.3:a::org.apache.cxf\:cxf-rt-management::::::::*

References

github.com/advisories/GHSA-4mgg-fqfq-64hg

lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6

nvd.nist.gov/vuln/detail/CVE-2024-41172

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

38.6%

JSON

Related for GHSA-4MGG-FQFQ-64HG