Multiple vulnerabilities in Apache CXF
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2024-32007 CVE-2024-29736 CVE-2024-41172 |
| CWE-ID | CWE-20 CWE-918 CWE-401 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Apache CXF Server applications / Frameworks for developing and running applications |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU97458
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-32007
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists within the JOSE code due to insufficient validation of user-supplied input passed via the p2c parameter. A remote attacker can pass a large value for the affected parameter in a token and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache CXF: 3.0.0 - 4.0.4
CPE2.3- cpe:2.3:a:apache_foundation:apache_cxf:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.9:*:*:*:*:*:*:*
https://lists.apache.org/thread/stwrgsr1llb73nkl16klv9vjqgmmx633
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU97457
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-29736
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input passed via the WADL stylesheet parameter. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability requires that a custom stylesheet parameter is configured.
Install updates from vendor's website.
Vulnerable software versionsApache CXF: 3.0.0 - 4.0.4
CPE2.3- cpe:2.3:a:apache_foundation:apache_cxf:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.0.10:*:*:*:*:*:*:*
https://lists.apache.org/thread/4jtpsswn2r6xommol54p5mg263ysgdw2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Memory leak
EUVDB-ID: #VU97630
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-41172
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in HTTPClient. A remote attacker can force the application to leak memory and perform denial of service attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache CXF: 3.6.0 - 4.0.4
CPE2.3- cpe:2.3:a:apache_foundation:apache_cxf:3.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:4.0.4:*:*:*:*:*:*:*
https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
