9.8

CVE-2010-2076

Exploit

EPSS 7.83%
Published 19.08.2010 18:00:02
Last modified 11.04.2025 00:51:21
Source secalert@redhat.com
Teams watchlist Login
Open Login

Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632.

Affected products Warnungen 0 Metrics 3 CWE 1 References 19

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Cxf Version >= 2.0.6 < 2.0.13

Apache ≫ Cxf Version >= 2.1 < 2.1.10

Apache ≫ Cxf Version >= 2.2.0 < 2.2.9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	7.83%	0.916

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html

Vendor Advisory

http://geronimo.apache.org/21x-security-report.html

Vendor Advisory

Release Notes

http://geronimo.apache.org/22x-security-report.html

Vendor Advisory

Release Notes

http://secunia.com/advisories/41016

Vendor Advisory

Broken Link

http://secunia.com/advisories/41025

Vendor Advisory

Broken Link

https://issues.apache.org/jira/browse/GERONIMO-5383

Third Party Advisory

http://secunia.com/advisories/40969

Vendor Advisory

Broken Link

http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf

Vendor Advisory

Exploit

http://www.listware.net/201006/cxf-users/60160-important-apache-cxf-security-advisory-cve-2010-2076.html

Broken Link

http://www.securityfocus.com/bid/42492

Third Party Advisory

Broken Link

VDB Entry

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

Patch

Mailing List

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

Patch

Mailing List

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

Patch

Mailing List

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

Patch

Mailing List

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

Patch

Mailing List

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

Patch

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2010-2076

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2010-2076

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2010-2076

EUVD