Apache

Cxf

57 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 6.06%
  • Veröffentlicht 16.01.2020 18:15:11
  • Zuletzt bearbeitet 21.11.2024 04:22:48

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from...

  • EPSS 13.84%
  • Veröffentlicht 06.11.2019 21:15:11
  • Zuletzt bearbeitet 21.11.2024 04:22:48

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is...

  • EPSS 6.26%
  • Veröffentlicht 06.11.2019 21:15:11
  • Zuletzt bearbeitet 21.11.2024 04:22:46

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large nu...

  • EPSS 10.35%
  • Veröffentlicht 02.07.2018 13:29:00
  • Zuletzt bearbeitet 21.11.2024 04:13:09

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to ma...

  • EPSS 3.7%
  • Veröffentlicht 14.11.2017 16:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS a...

  • EPSS 6.32%
  • Veröffentlicht 10.08.2017 18:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

  • EPSS 7.32%
  • Veröffentlicht 10.08.2017 18:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

  • EPSS 9.19%
  • Veröffentlicht 10.08.2017 16:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the ba...

  • EPSS 3.54%
  • Veröffentlicht 08.08.2017 21:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty UsernameToken as part of a SOAP request.

  • EPSS 6.83%
  • Veröffentlicht 18.04.2017 16:59:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for anoth...