CVE-2010-2076 — Improper Input Validation in Apache CXF

CWE-20 — Improper Input Validation6 documents6 sources

Severity

9.8CRITICALNVD

CNA7.5GHSA7.5OSV7.5

EPSS

12.0%

top 6.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF

Timeline

PublishedAug 19

Latest updateMay 13

Description

Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a si…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDapache/cxf2.0.6 — 2.0.13+2

Patches

Patch: lists.apache.org ↗Patch: lists.apache.org ↗Patch: lists.apache.org ↗

🔴Vulnerability Details

GHSA

Improper Input Validation in Apache CXF↗2022-05-13

▶

OSV

Improper Input Validation in Apache CXF↗2022-05-13

▶

CVEList

CVE-2010-2076: Apache CXF 2↗2010-08-19

▶

📋Vendor Advisories

Red Hat

CXF: Insufficient constraints on Document Type Declarations (DTDs)↗2010-06-15

▶

💬Community

Bugzilla

CVE-2010-2076 Apache CXF: Insufficient constraints on Document Type Declarations (DTDs)↗2012-09-10

▶