CVE-2013-2160
published 2013-08-19CVE-2013-2160: The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service…
PriorityP338medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
32.26%
98.1th percentile
The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
| apache | cxf | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Missing XML Validation in Apache CXF
osv·2022-05-13
CVE-2013-2160 [MEDIUM] Missing XML Validation in Apache CXF
Missing XML Validation in Apache CXF
The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors.
GHSA
Missing XML Validation in Apache CXF
ghsa·2022-05-13
CVE-2013-2160 [MEDIUM] CWE-112 Missing XML Validation in Apache CXF
Missing XML Validation in Apache CXF
The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors.
Red Hat
apache-cxf: Multiple denial of service flaws in the StAX parser
vendor_redhat·2013-06-26·CVSS 5.0
CVE-2013-2160 [MEDIUM] apache-cxf: Multiple denial of service flaws in the StAX parser
apache-cxf: Multiple denial of service flaws in the StAX parser
The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors.
Package: jbossws-cxf (Red Hat JBoss Enterprise Application Platform 6) - Not affected
No detection rules found.
Bugzilla
cxf: CVE-2013-2160 cxf, jbossws-cxf, apache-cxf: Multiple denial of service flaws in the StAX parser [fedora-all]
bugzilla·2013-06-27·CVSS 5.0
CVE-2013-2160 [MEDIUM] cxf: CVE-2013-2160 cxf, jbossws-cxf, apache-cxf: Multiple denial of service flaws in the StAX parser [fedora-all]
cxf: CVE-2013-2160 cxf, jbossws-cxf, apache-cxf: Multiple denial of service flaws in the StAX parser [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when ava
Bugzilla
CVE-2013-2160 cxf, jbossws-cxf, apache-cxf: Multiple denial of service flaws in the StAX parser
bugzilla·2013-03-29·CVSS 5.0
CVE-2013-2160 [MEDIUM] CVE-2013-2160 cxf, jbossws-cxf, apache-cxf: Multiple denial of service flaws in the StAX parser
CVE-2013-2160 cxf, jbossws-cxf, apache-cxf: Multiple denial of service flaws in the StAX parser
Multiple denial of service flaws were found in the way StAX parser implementation of Apache CXF, an open-source web services framework, performed processing of certain XML files. If a web service application utilized the services of the StAX parser, a remote attacker could provide a specially-crafted XML file that, when processed by the application would lead to excessive system resources (CPU cycles, memory) consumption by that application.
References:
[1] http://jira.codehaus.org/browse/WSTX-287
[2] http://jira.codehaus.org/browse/WSTX-285
Discussion:
External References:
http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc
---
Upstream patch (picks up Woodstox 4.2.0 as
http://jira.codehaus.org/browse/WSTX-285http://jira.codehaus.org/browse/WSTX-287http://rhn.redhat.com/errata/RHSA-2013-1028.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1437.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=929197https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.aschttps://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3Ehttp://jira.codehaus.org/browse/WSTX-285http://jira.codehaus.org/browse/WSTX-287http://rhn.redhat.com/errata/RHSA-2013-1028.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1437.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=929197https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.aschttps://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
2013-08-19
Published