Vulnerabilities > Apache > CXF > 2.2.3
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-11-06 | CVE-2019-12406 | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. | 6.5 |
| 2018-07-02 | CVE-2018-8039 | Improper Handling of Exceptional Conditions vulnerability in multiple products It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. | 8.1 |
| 2017-08-10 | CVE-2017-3156 | Unspecified vulnerability in Apache CXF The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks. | 7.5 |
| 2017-08-10 | CVE-2016-8739 | XXE vulnerability in Apache CXF The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. | 7.5 |
| 2017-08-10 | CVE-2016-6812 | Cross-site Scripting vulnerability in Apache CXF The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. | 6.1 |
| 2010-08-19 | CVE-2010-2076 | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache CXF Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632. | 9.8 |