Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-2160

CWE-399CWE-1128 documents7 sources
Severity
5.0MEDIUM
EPSS
12.3%
top 6.14%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apache CXF
Timeline
PublishedAug 19
Latest updateMay 13

Description

The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

Mavenorg.apache.cxf:cxf-rt-frontend-jaxrs2.5.02.5.10+2
NVDapache/cxf21 versions+20

Patches

Patch: jira.codehaus.orgPatch: jira.codehaus.orgPatch: jira.codehaus.org

🔴Vulnerability Details

3
OSV
Missing XML Validation in Apache CXF2022-05-13
GHSA
Missing XML Validation in Apache CXF2022-05-13
CVEList
CVE-2013-2160: The streaming XML parser in Apache CXF 22013-08-19

💥Exploits & PoCs

1
Exploit-DB
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service2013-07-09

📋Vendor Advisories

1
Red Hat
apache-cxf: Multiple denial of service flaws in the StAX parser2013-06-26

💬Community

2
Bugzilla
cxf: CVE-2013-2160 cxf, jbossws-cxf, apache-cxf: Multiple denial of service flaws in the StAX parser [fedora-all]2013-06-27
Bugzilla
CVE-2013-2160 cxf, jbossws-cxf, apache-cxf: Multiple denial of service flaws in the StAX parser2013-03-29
CVE-2013-2160 (MEDIUM CVSS 5) | The streaming XML parser in Apache | cvebase.io