oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-28752: Apache CXF SSRF Vulnerability using the Aegis databinding

From: Colm O hEigeartaigh <coheigea () apache org>
Date: Thu, 14 Mar 2024 19:47:13 +0000
Severity: important

Affected versions:

- Apache CXF before 4.0.4, 3.6.3, 3.5.8

Description:

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an 
attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data 
bindings (including the default databinding) are not impacted.

Credit:

Tobias S. Fink (finder)

References:

https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt
https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-28752
Previous By Date Next
Previous By Thread Next

Current thread: