GHSA-v8q2-94f6-6xq2

Suggest an improvement
Source
https://github.com/advisories/GHSA-v8q2-94f6-6xq2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v8q2-94f6-6xq2/GHSA-v8q2-94f6-6xq2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-v8q2-94f6-6xq2
Aliases
  • CVE-2010-2076
Published
2022-05-13T01:09:23Z
Modified
2024-12-08T05:32:05.470743Z
Summary
Improper Input Validation in Apache CXF
Details

Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdlfirstpure_xml, a similar issue to CVE-2010-1632.

Database specific
{
    "nvd_published_at": "2010-08-19T18:00:00Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-08T18:53:08Z"
}
References

Affected packages

Maven / org.apache.cxf:cxf-rt-frontend-jaxrs

Package

Name
org.apache.cxf:cxf-rt-frontend-jaxrs
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxrs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.13

Maven / org.apache.cxf:cxf-rt-frontend-jaxrs

Package

Name
org.apache.cxf:cxf-rt-frontend-jaxrs
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxrs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.1.10

Affected versions

2.*

2.1
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9

Maven / org.apache.cxf:cxf-rt-frontend-jaxrs

Package

Name
org.apache.cxf:cxf-rt-frontend-jaxrs
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxrs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.9

Affected versions

2.*

2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8