org.apache.cxf:cxf-core
Maven10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.apache.cxf:cxf-corepage 1 of 1
- CVE-2014-0035NONECVSS 0.0EG 0.0✓ Fixed in 2.7.102014-07-07
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remot…
- CVE-2014-0109NONECVSS 0.0EG 0.0✓ Fixed in 2.7.112014-05-08
Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (memory consumption) via a large request with the Content-Type set to text/html to a SOAP endpoint, which triggers an error.
- CVE-2014-0110NONECVSS 0.0EG 0.0✓ Fixed in 2.7.112014-05-08
Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large invalid SOAP message.
- CVE-2016-6812MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.1.92017-08-10
vulnerable: 3.1.0 ... 3.1.8 (9 versions)
The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calcul…
- CVE-2016-8739HIGHCVSS 7.5EG 7.5✓ Fixed in 3.1.92017-08-10
vulnerable: 3.1.0 ... 3.1.8 (9 versions)
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
- CVE-2017-12624MEDIUMCVSS 5.5EG 5.5✓ Fixed in 3.0.162017-11-14
vulnerable: 3.0.0 ... 3.0.9 (18 versions)
Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Bo…
- CVE-2017-5653MEDIUMCVSS 5.3EG 5.3✓ Fixed in 3.0.132017-04-18
vulnerable: 3.0.0 ... 3.0.9 (15 versions)
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.
- CVE-2017-5656HIGHCVSS 7.5EG 7.5✓ Fixed in 3.0.132017-04-18
vulnerable: 3.0.0 ... 3.0.9 (15 versions)
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached toke…
- CVE-2022-46363HIGHCVSS 7.5EG 7.5✓ Fixed in 3.5.52022-12-13
vulnerable: 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4
A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources…
- CVE-2022-46364CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.5.52022-12-13
vulnerable: 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any t…
Check whether org.apache.cxf:cxf-core is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.cxf:cxf-core CVEs against the assets you own.
Start Free Scan →