CVE-2017-12624

CWE-20Improper Input Validation7 documents6 sources
Severity
5.5MEDIUM
EPSS
3.6%
top 12.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache CXFApache Software Foundation Apache CXF
Timeline
PublishedNov 14
Latest updateMay 13

Description

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

NVDapache/cxf3.0.03.0.16+2
Mavenorg.apache.cxf:cxf-core3.2.03.2.1+2
CVEListV5apache_software_foundation/apache_cxf3.2.x prior to 3.2.1, prior to 3.1.14+1

🔴Vulnerability Details

3
GHSA
Improper Input Validation in Apache CXF2022-05-13
OSV
Improper Input Validation in Apache CXF2022-05-13
CVEList
CVE-2017-12624: Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications2017-11-14

📋Vendor Advisories

1
Red Hat
cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services2017-11-14

💬Community

2
Bugzilla
CVE-2017-12624 cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services [fedora-all]2017-11-21
Bugzilla
CVE-2017-12624 cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services2017-11-21
CVE-2017-12624 (MEDIUM CVSS 5.5) | Apache CXF supports sending and rec | cvebase.io