Lucene search

K
ApacheCxf

11 matches found

CVE
CVE
added 2021/09/19 6:15 p.m.583 views

CVE-2021-40690

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any loca...

7.5CVSS7.4AI score0.00335EPSS
CVE
CVE
added 2025/01/21 10:15 a.m.251 views

CVE-2025-23184

A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).

7.5CVSS5.6AI score0.00318EPSS
CVE
CVE
added 2022/12/13 3:15 p.m.250 views

CVE-2022-46363

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes ar...

7.5CVSS8.4AI score0.00065EPSS
CVE
CVE
added 2021/06/16 12:15 p.m.178 views

CVE-2021-30468

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to...

7.5CVSS7.4AI score0.004EPSS
CVE
CVE
added 2021/04/02 10:15 a.m.175 views

CVE-2021-22696

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI f...

7.5CVSS7.4AI score0.00487EPSS
CVE
CVE
added 2020/01/16 6:15 p.m.149 views

CVE-2019-12423

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the p...

7.5CVSS7.2AI score0.01318EPSS
CVE
CVE
added 2024/07/19 9:15 a.m.91 views

CVE-2024-41172

In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out o...

7.5CVSS6.5AI score0.03183EPSS
CVE
CVE
added 2017/08/10 6:29 p.m.78 views

CVE-2016-8739

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

7.8CVSS7.3AI score0.02672EPSS
CVE
CVE
added 2017/04/18 4:59 p.m.77 views

CVE-2017-5656

Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.

7.5CVSS7.3AI score0.03801EPSS
CVE
CVE
added 2017/08/10 6:29 p.m.73 views

CVE-2017-3156

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

7.5CVSS7.3AI score0.1307EPSS
CVE
CVE
added 2024/07/19 9:15 a.m.73 views

CVE-2024-32007

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.

7.5CVSS6.7AI score0.00783EPSS