CVE-2024-28752

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-28752
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-28752.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-28752
Aliases
Downstream
Related
Published
2024-03-15T11:15:09.220Z
Modified
2026-02-03T07:36:40.885700Z
Severity
  • 9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

References

Affected packages

Git / github.com/apache/cxf

Affected ranges

Type
GIT
Repo
https://github.com/apache/cxf
Events
Fixed
1593a5e0e48a67f75c60a64add52b0be57bb5eb0
Introduced
02310e95fe74c0c031f540f3284e4a9bd856ced2
Fixed
40ad2263e5c080bf3b55542bf3ee052fa7465733
Introduced
4cf375c5436f3e806293a73a5bb6a8510f7ac961
Fixed
d6c36b4dcabade57d0266313ab3745bedf5fb57c

Affected versions

cxf-3.*
cxf-3.6.0
cxf-3.6.1
cxf-3.6.2
cxf-4.*
cxf-4.0.0
cxf-4.0.1
cxf-4.0.2
cxf-4.0.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-28752.json"