PT-2024-5337 · Apache · Apache Cxf
Tobias S. Fink
·
Published
2024-03-19
·
Updated
2024-08-22
·
CVE-2024-29736
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Apache CXF versions prior to 4.0.5
Apache CXF versions prior to 3.6.4
Apache CXF versions prior to 3.5.9
Description
A SSRF vulnerability in the WADL service description of Apache CXF allows an attacker to perform SSRF style attacks on REST webservices. This issue is related to the incorrect transformation of a stylesheet and can be exploited if a custom stylesheet parameter is configured.
Recommendations
For versions prior to 4.0.5, update to version 4.0.5 or later.
For versions prior to 3.6.4, update to version 3.6.4 or later.
For versions prior to 3.5.9, update to version 3.5.9 or later.
As a temporary workaround, consider disabling the custom stylesheet parameter until a patch is available.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Cxf