PT-2024-4249 · Apache · Apache Cxf

Tobias S. Fink

Published

2024-03-14

Updated

2026-04-07

CVE-2024-28752

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 4.0.4 Apache CXF versions prior to 3.6.3 Apache CXF versions prior to 3.5.8

Description A Server-Side Request Forgery (SSRF) vulnerability in Apache CXF's Aegis DataBinding allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings, including the default databinding, are not impacted.

Recommendations For Apache CXF versions prior to 4.0.4, update to version 4.0.4 or later. For Apache CXF versions prior to 3.6.3, update to version 3.6.3 or later. For Apache CXF versions prior to 3.5.8, update to version 3.5.8 or later. As a temporary workaround, consider disabling the Aegis DataBinding until a patch is available.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

BDU:2024-04736

CVE-2024-28752

GHSA-QMGX-J96G-4428

RHSA-2024:10207

RHSA-2024:10208

RHSA-2024:3559

RHSA-2024:3560

RHSA-2024:3561

RHSA-2024:5479

RHSA-2024:5481

Affected Products

Apache Cxf

PT-2024-4249 · Apache · Apache Cxf

CVE-2024-28752

Weakness Enumeration

Related Identifiers

Affected Products

References · 24