Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which are vulnerable to CVEs.

Summary IBM Maximo Application Suite uses "form-data 4.0.0, org.apache.cxfcxf-core 3.6.7 , net/http/internal v1.24.1, braces 3.0.2 , cross-spawn 7.0.3 , crypto/x509 1.24.1 1.24.3 , github.com/golang-jwt/jwt/v4 github.com/golang-jwt/jwt/v5 v4.5.0 v5.2.1 , httpd 2.4.37 , setuptools 78.0.2 75.8.0 ,...

be.atbash.test:integration-testing (=2.2.0), be.atbash.test:integration-testing-database (=2.2.0) +643 more potentially affected by CVE-2025-48795 via org.apache.cxf:cxf-core (>=4.0.0 <=4.0.6)

org.apache.cxf:cxf-core MAVEN version =4.0.0, =1.0.0, =12.1-7-21, =0.0.1, =2.70.0, =2.71.1 - com.codbex.kronos:codbex-kronos-commons =2.70.0 - com.codbex.kronos:codbex-kronos-components-api-parent =2.69.0 - com.codbex.kronos:codbex-kronos-components-engine-xsjob =2.69.0 and more Source cves:...

com.codbex.atlas:codbex-atlas-application (>=1.1.0 <=2.3.0), cv.igrp:igrp-core (=2.0.0.250321-GA) +416 more potentially affected by CVE-2025-48795 via org.apache.cxf:cxf-core (=4.1.0)

org.apache.cxf:cxf-core MAVEN version =4.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.cxf:cxf-core and may be impacted: - com.codbex.atlas:codbex-atlas-application =1.1.0, =4.1.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0...

cv.igrp:igrp-core (>=1.7.3.230801 <=1.7.3.230802), eu.unicore.security:secutils-cxf (=3.4.3) +377 more potentially affected by CVE-2025-48795 via org.apache.cxf:cxf-core (>=3.6.0 <=3.6.5)

org.apache.cxf:cxf-core MAVEN version =3.6.0, =1.7.3.230801, =3.0-M3, =3.0-M3, =3.0-M3, =3.0-M3, =2.0, =4.4.6.hyte-24270, =4.4.6.hyte-24270, =4.4.6.hyte-24270, =4.4.6.hyte-24270, =3.0.5, =3.0.6 - net.tirasa.connid.bundles:net.tirasa.connid.bundles.servicenow =1.0.4 -...

be.atbash.test:integration-testing (=2.2.0), be.atbash.test:integration-testing-database (=2.2.0) +643 more potentially affected by CVE-2025-48795 via org.apache.cxf:cxf-core (>=4.0.0 <=4.0.6)

org.apache.cxf:cxf-core MAVEN version =4.0.0, =1.0.0, =12.1-7-21, =0.0.1, =2.70.0, =2.71.1 - com.codbex.kronos:codbex-kronos-commons =2.70.0 - com.codbex.kronos:codbex-kronos-components-api-parent =2.69.0 - com.codbex.kronos:codbex-kronos-components-engine-xsjob =2.69.0 and more Source cves:...

be.atbash.test:integration-testing (>=1.0.0 <=1.1.0), com.codbex.chronos:codbex-chronos-platform (>=0.3.0 <=0.5.4) +1091 more potentially affected by CVE-2022-46364 via org.apache.cxf:cxf-core (>=3.5.0 <=3.5.4)

org.apache.cxf:cxf-core MAVEN version =3.5.0, =1.0.0, =0.3.0, =0.3.0, =0.5.3, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.3.0 and more Source cves: CVE-2022-46364 Source advisory: OSV:GHSA-X3X3-QWJQ-8GJ4...

ai.idylnlp:idylnlp-nlp-language-detection-tika (>=1.0.0 <=1.1.0), ai.stainless:grails-tika (=0.1.0) +2685 more potentially affected by CVE-2022-46363 via org.apache.cxf:cxf-core (>=3.0.0-milestone1 <=3.4.1)

org.apache.cxf:cxf-core MAVEN version =3.0.0-milestone1, =1.0.0, =11.4-37, =3.6.1, =3.11.0, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.1.0.RELEASE - cloud.testload:jmeter-clickhouse-listener =2.00 and more Source cves: CVE-2022-46363 Source...

cloud.altemista.fwk.framework:cloud-altemistafwk-documentation (=3.1.0.RELEASE), cloud.altemista.fwk.soap:cloud-altemistafwk-core-soap-wss (>=3.0.0.RELEASE <=3.1.0.RELEASE) +927 more potentially affected by CVE-2017-12624 via org.apache.cxf:cxf-core (>=3.1.0 <=3.1.13)

org.apache.cxf:cxf-core MAVEN version =3.1.0, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =5.0.0, =1.0.0, =2.3.3, =1.0, =0.2, =0.2, =0.4 - com.github.arucard21.simplyrestful:simplyrestful-spring-boot =0.1 and more Source cves: CVE-2017-12624...

cloud.altemista.fwk.framework:cloud-altemistafwk-documentation (=3.1.0.RELEASE), cloud.altemista.fwk.soap:cloud-altemistafwk-core-soap-wss (>=3.0.0.RELEASE <=3.1.0.RELEASE) +1253 more potentially affected by CVE-2016-6812 via org.apache.cxf:cxf-core (>=3.1.0 <=3.1.8)

org.apache.cxf:cxf-core MAVEN version =3.1.0, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =2.6.3, =1.2.18, =5.0.0, =6.0.1 - com.bilalalp:cxfclientlogger =1.0 - com.bilalalp:cxflogger =1.0 and more Source cves: CVE-2016-6812 Source advisory:...

cloud.altemista.fwk.framework:cloud-altemistafwk-documentation (=3.1.0.RELEASE), cloud.altemista.fwk.soap:cloud-altemistafwk-core-soap-wss (>=3.0.0.RELEASE <=3.1.0.RELEASE) +1253 more potentially affected by CVE-2016-8739 via org.apache.cxf:cxf-core (>=3.1.0 <=3.1.8)

org.apache.cxf:cxf-core MAVEN version =3.1.0, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =2.6.3, =1.2.18, =5.0.0, =6.0.1 - com.bilalalp:cxfclientlogger =1.0 - com.bilalalp:cxflogger =1.0 and more Source cves: CVE-2016-8739 Source advisory:...

Denial Of Service (DoS)

Apache CXF-Core is susceptible to denial of service DoS attack. The attack exists because it fails to limit the maximum number of message attachments in a given message, allowing an attacker to provide a message with a huge number of attachment and trigger DoS attack...