Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1xbWd4LWo5NmctNDQyOM4AA6BU

SSRF vulnerability using the Aegis DataBinding in Apache CXF

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

Permalink: https://github.com/advisories/GHSA-qmgx-j96g-4428
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xbWd4LWo5NmctNDQyOM4AA6BU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 9 months ago
Updated: 4 months ago

CVSS Score: 9.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Identifiers: GHSA-qmgx-j96g-4428, CVE-2024-28752
References:

Blast Radius: 30.1

Affected Packages

maven:org.apache.cxf:cxf-core

Dependent packages: 368
Dependent repositories: 1,719
Downloads:
Affected Version Ranges: >= 4.0.0, < 4.0.4, >= 3.6.0, < 3.6.3, < 3.5.8
Fixed in: 4.0.4, 3.6.3, 3.5.8
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.6.0, 3.6.1, 3.6.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3
All unaffected versions: 3.5.8, 3.5.9, 3.6.3, 3.6.4, 4.0.4, 4.0.5