Vulnerabilities > Apache > CXF > High

DATE CVE VULNERABILITY TITLE RISK
2024-07-19 CVE-2024-32007 Unspecified vulnerability in Apache CXF
An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token. 
network
low complexity
apache
7.5
2024-07-19 CVE-2024-41172 Unspecified vulnerability in Apache CXF
In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory
network
low complexity
apache
7.5
2022-12-13 CVE-2022-46363 Unspecified vulnerability in Apache CXF
A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration.
network
low complexity
apache
7.5
2021-09-19 CVE-2021-40690 All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element.
network
low complexity
apache debian oracle
7.5
2021-06-16 CVE-2021-30468 Infinite Loop vulnerability in multiple products
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely.
network
low complexity
apache oracle CWE-835
7.5
2021-04-02 CVE-2021-22696 Server-Side Request Forgery (SSRF) vulnerability in multiple products
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)).
network
low complexity
apache oracle CWE-918
7.5
2020-01-16 CVE-2019-12423 Insufficiently Protected Credentials vulnerability in multiple products
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service.
network
low complexity
apache oracle CWE-522
7.5
2018-07-02 CVE-2018-8039 Improper Handling of Exceptional Conditions vulnerability in multiple products
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'.
network
high complexity
apache redhat CWE-755
8.1
2017-08-10 CVE-2017-3156 Unspecified vulnerability in Apache CXF
The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.
network
low complexity
apache
7.5
2017-08-10 CVE-2016-8739 XXE vulnerability in Apache CXF
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders.
network
low complexity
apache CWE-611
7.5