Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01bTNqLXB4aDctNDU1cM4AA-Ab

Apache CXF: SSRF vulnerability via WADL stylesheet parameter

A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.

Permalink: https://github.com/advisories/GHSA-5m3j-pxh7-455p
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01bTNqLXB4aDctNDU1cM4AA-Ab
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 1 month ago

CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-5m3j-pxh7-455p, CVE-2024-29736
References:

Repository: https://github.com/apache/cxf
Blast Radius: 16.7

Affected Packages

maven:org.apache.cxf:cxf-rt-rs-service-description

Dependent packages: 206
Dependent repositories: 673
Downloads:
Affected Version Ranges: < 3.5.9, >= 3.6.0, < 3.6.4, >= 4.0.0, < 4.0.5
Fixed in: 3.5.9, 3.6.4, 4.0.5
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4
All unaffected versions: 3.5.9, 3.6.4, 4.0.5