EUVD-2026-36402

A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted Content-Type or protected HTTP-header metadata came from a verified...

GHSA-FH5R-CRHR-QRRQ Apache CXF: Denial of Service vulnerability with temporary files

A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system it applies to servers and clients...

Apache CXF 安全漏洞

Apache CXF is the United States Apache Apache Foundation of an open source Web services framework. The framework supports a variety of Web services standards , a variety of front-end programming APIs. Apache CXF has a memory consumption vulnerability that originates from a client-side pipeline th...

Fedora: Security Advisory for ws-commons-util (FEDORA-2024-129d8ca6fc)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Apache CXF 代码问题漏洞

Apache CXF is the United States Apache Apache Foundation of an open source Web services framework. The framework supports a variety of Web services standards , a variety of front-end programming APIs and so on. A code issue vulnerability exists in Apache CXF versions prior to 3.5.5 and 3.4.10,...

The vulnerability of the Apache WSS4J software lies in its authentication process’s flaws, which allow attackers to bypass the authentication process.

The vulnerability of the Apache WSS4J software framework and the Apache CXF framework for web services is related to deficiencies in the authentication process. Exploiting this vulnerability could allow a malicious actor to bypass the authentication process...

CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior ...

GHSA-VJWC-5HFH-2VV5 Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J

Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this...

cxf: OAuth 2 authorization service vulnerable to DDos attacks

CXF supports via JwtRequestCodeFilter passing OAuth 2 parameters via a JWT token as opposed to query parameters see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request JAR. Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from...

Apache CXF 资源管理错误漏洞

Apache CXF is the United States Apache Apache Foundation's an open source Web services framework. The framework supports multiple Web service standards, multiple front-end programming APIs, etc. Apache CXF has a resource management error vulnerability that can be exploited by an attacker to submi...

The vulnerability of Apache CXF web services lies in the lack of measures taken to protect the structure of web pages, allowing attackers to perform cross-site scripting attacks.

The vulnerability of Apache CXF web services is related to the lack of measures taken to protect the structure of web pages. Exploiting this vulnerability allows a malicious actor to perform cross-site scripting attacks using the styleSheetPath parameter...

Apache CXF Cross-Site Scripting Vulnerability (CNVD-2020-66585)

Apache CXF is the United States Apache Apache Software Foundation of an open source Web services framework. The framework supports a variety of Web services standards , a variety of front-end programming APIs. A cross-site scripting vulnerability exists in Apache CXF version 3.4.1 and all version...

PT-2020-7102 · Red Hat +1 · Redhat Jboss Middleware +9

Name of the Vulnerable Software and Affected Versions: Apache WSS4J versions prior to 1.6.5 JBossWS affected versions not specified Redhat JBoss Business Rules Management System affected versions not specified Redhat JBoss Enterprise Application Platform affected versions not specified Redhat JBo...

The vulnerability of the com.sun.net.ssl component in the Apache CXF web service framework allows a attacker to execute a type of “man-in-the-middle” attack.

The vulnerability of the com.sun.net.ssl component in Apache CXF web services is related to deficiencies in handling exceptional states. Exploiting this vulnerability allows a remote attacker to execute a “man-in-the-middle” attack...

UBUNTU-CVE-2015-0226

Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this...

Apache CXF Server Spoofing Vulnerability

Apache CXF is the United States Apache Apache Software Foundation of an open source Web services framework. The framework supports a variety of Web services standards , a variety of front-end programming APIs , etc. JAX-RSXML Security streaming clients is one of the use of XML signatures and XML...

CXF: Large invalid content could cause temporary space to fill

It was found that when a large invalid SOAP message was processed by Apache CXF, it could be saved to a temporary file in the /tmp directory. A remote attacker could send a specially crafted SOAP message that, when processed by an application using Apache CXF, would use an excessive amount of dis...

wss4j: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property

It was found that Apache WSS4J permitted bypass of the requireSignedEncryptedDataElements configuration property via XML Signature wrapping attacks. A remote attacker could use this flaw to modify the contents of a signed request...

USN-1137-1: Eucalyptus vulnerability

Juraj Somorovsky, Jorg Schwenk, Meiko Jensen and Xiaofeng Lou discovered that Eucalyptus did not properly validate SOAP requests. An unauthenticated remote attacker could exploit this to submit arbitrary commands to the Eucalyptus SOAP interface in the context of an authenticated user...