CVE-2024-32007

Name of the Vulnerable Software and Affected Versions: Apache CXF versions prior to 3.5.9 Apache CXF versions prior to 3.6.4 Apache CXF versions prior to 4.0.5 Bitbucket Data Center and Server versions 8.9.0 through 8.9.18 Bitbucket Data Center and Server versions 8.18.0 Bitbucket Data Center and Server versions 8.19.0 through 8.19.8

Description: The issue is related to an improper input validation of the p2c parameter in the Apache CXF JOSE code, allowing an attacker to perform a denial of service attack by specifying a large value for this parameter in a token. This can lead to uncontrolled resource consumption. An unauthenticated attacker can expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, and high impact to availability, requiring no user interaction.

Recommendations: For Apache CXF versions prior to 3.5.9, update to version 3.5.9 or later. For Apache CXF versions prior to 3.6.4, update to version 3.6.4 or later. For Apache CXF versions prior to 4.0.5, update to version 4.0.5 or later. For Bitbucket Data Center and Server versions 8.9.0 through 8.9.18, upgrade to a release greater than or equal to 8.9.19. For Bitbucket Data Center and Server versions 8.18.0, upgrade to a release greater than or equal to 8.19.9. For Bitbucket Data Center and Server versions 8.19.0 through 8.19.8, upgrade to a release greater than or equal to 8.19.9. As a temporary workaround, consider restricting access to the vulnerable p2c parameter in the Apache CXF JOSE code until a patch is available.