PT-2017-12608 · Apache · Apache Cxf

Published

2017-11-14

Updated

2022-05-13

CVE-2017-12624

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 3.1.14 Apache CXF versions prior to 3.2.1

Description The issue allows an attacker to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are affected.

Recommendations For Apache CXF versions prior to 3.1.14, update to version 3.1.14 or later to resolve the issue. For Apache CXF versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider configuring the "attachment-max-header-size" property to reject message attachment headers greater than 300 characters.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2017-12624

GHSA-7VGJ-8MW4-HG8R

RHSA-2018:2423

RHSA-2018:2424

Affected Products

Apache Cxf

PT-2017-12608 · Apache · Apache Cxf

CVE-2017-12624

Weakness Enumeration

Related Identifiers

Affected Products

References · 28