SSRF vulnerability using the Aegis DataBinding in Apache CXF

2024-03-1512:30:37

Google

osv.dev

ssrf

apache cxf

aegis databinding

webservices

vulnerability

data binding

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.5%

JSON

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

CPENameOperatorVersion
org.apache.cxf:cxf-coreeq3.2.11
org.apache.cxf:cxf-coreeq3.1.1
org.apache.cxf:cxf-coreeq3.1.9
org.apache.cxf:cxf-coreeq3.0.14
org.apache.cxf:cxf-coreeq3.3.12
org.apache.cxf:cxf-coreeq3.2.12
org.apache.cxf:cxf-coreeq3.2.14
org.apache.cxf:cxf-coreeq3.0.11
org.apache.cxf:cxf-coreeq3.4.8
org.apache.cxf:cxf-coreeq3.3.2

Name	Operator	Version
org.apache.cxf:cxf-core	eq	3.2.11
org.apache.cxf:cxf-core	eq	3.1.1
org.apache.cxf:cxf-core	eq	3.1.9
org.apache.cxf:cxf-core	eq	3.0.14
org.apache.cxf:cxf-core	eq	3.3.12
org.apache.cxf:cxf-core	eq	3.2.12
org.apache.cxf:cxf-core	eq	3.2.14
org.apache.cxf:cxf-core	eq	3.0.11
org.apache.cxf:cxf-core	eq	3.4.8
org.apache.cxf:cxf-core	eq	3.3.2