9.8

CVE-2010-2076

Exploit
Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheCxf Version >= 2.0.6 < 2.0.13
ApacheCxf Version >= 2.1 < 2.1.10
ApacheCxf Version >= 2.2.0 < 2.2.9
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 9.79% 0.949
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html
Vendor Advisory
http://geronimo.apache.org/21x-security-report.html
Vendor Advisory
Release Notes
http://geronimo.apache.org/22x-security-report.html
Vendor Advisory
Release Notes
http://secunia.com/advisories/41016
Vendor Advisory
Broken Link
http://secunia.com/advisories/41025
Vendor Advisory
Broken Link
https://issues.apache.org/jira/browse/GERONIMO-5383
Third Party Advisory
http://secunia.com/advisories/40969
Vendor Advisory
Broken Link
http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf
Vendor Advisory
Exploit
http://www.listware.net/201006/cxf-users/60160-important-apache-cxf-security-advisory-cve-2010-2076.html
Broken Link
http://www.securityfocus.com/bid/42492
Third Party Advisory
Broken Link
VDB Entry
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
Patch
Mailing List
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
Patch
Mailing List
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
Patch
Mailing List
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
Patch
Mailing List
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
Patch
Mailing List
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
Patch
Mailing List