Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01bTNqLXB4aDctNDU1cM4AA-Ab
Apache CXF: SSRF vulnerability via WADL stylesheet parameter
A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.
Permalink: https://github.com/advisories/GHSA-5m3j-pxh7-455pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01bTNqLXB4aDctNDU1cM4AA-Ab
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 6 months ago
Updated: about 2 months ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00238
EPSS Percentile: 0.61505
Identifiers: GHSA-5m3j-pxh7-455p, CVE-2024-29736
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-29736
- https://lists.apache.org/thread/4jtpsswn2r6xommol54p5mg263ysgdw2
- https://github.com/apache/cxf/commit/378afe1acb7503315bc63555c8743db0f55d8312
- https://github.com/apache/cxf/commit/bafb0cadf723fc3962031c34f1f20dc0e8b7a36b
- https://github.com/apache/cxf/commit/df2241c59481a57aebb1c0693b778a35baaf5570
- https://github.com/advisories/GHSA-5m3j-pxh7-455p
Blast Radius: 16.7
Affected Packages
maven:org.apache.cxf:cxf-rt-rs-service-description
Dependent packages: 206Dependent repositories: 673
Downloads:
Affected Version Ranges: < 3.5.9, >= 3.6.0, < 3.6.4, >= 4.0.0, < 4.0.5
Fixed in: 3.5.9, 3.6.4, 4.0.5
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4
All unaffected versions: 3.5.9, 3.5.10, 3.6.4, 3.6.5, 4.0.5, 4.0.6, 4.1.0