CVE-2017-12624

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-12624

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-12624.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-12624

Aliases

GHSA-7vgj-8mw4-hg8r

Related

Published

2017-11-14T16:29:00Z

Modified

2024-10-12T02:02:21.167026Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

References

Affected packages

Git / github.com/apache/cxf

Affected ranges

Type: GIT
Repo: https://github.com/apache/cxf
Events: Introduced

fd92c807e8773c363df37cfaf946971f5bac763b

Fixed

0d845b9519423abd31e8d13c33c68a4800dd5d40

Affected versions

cxf-3.*

cxf-3.0.0

cxf-3.0.1

cxf-3.0.10

cxf-3.0.11

cxf-3.0.12

cxf-3.0.13

cxf-3.0.14

cxf-3.0.15

cxf-3.0.2

cxf-3.0.3

cxf-3.0.4

cxf-3.0.5

cxf-3.0.6

cxf-3.0.7

cxf-3.0.8

cxf-3.0.9