CVE-2019-12406

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 3.3.4 and 3.2.11

Description The issue is related to an uncontrolled resource consumption in Apache CXF, which can be exploited by a remote attacker to cause a denial of service. This can be achieved by crafting a message with a large number of message attachments, exceeding the default limit. The default limit of 50 message attachments is enforced from versions 3.3.4 and 3.2.11 onwards and is configurable via the attachment-max-count message property.

Recommendations For versions prior to 3.3.4 and 3.2.11, update to version 3.3.4 or 3.2.11 to enforce the default limit of 50 message attachments. As a temporary workaround, consider configuring the attachment-max-count message property to restrict the number of message attachments and minimize the risk of exploitation.