Blake Gatto

**Name of the Vulnerable Software and Affected Versions** Apache CXF versions prior to 3.6.8 Apache CXF versions prior to 4.0.9 Apache CXF versions prior to 4.1.3 **Description** If untrusted users are permitted to configure JMS (Java Message Service) for Apache CXF, they could use RMI (Remote Method Invocation) or LDAP (Lightweight Directory Access Protocol) URLs. This could potentially lead to code execution capabilities. The interface has been restricted to reject these protocols to eliminate this risk. **Recommendations** Upgrade to version 3.6.8 Upgrade to version 4.0.9 Upgrade to version 4.1.3