CVE-2019-12406 — Allocation of Resources Without Limits or Throttling in Apache CXF

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-400 — Uncontrolled Resource Consumption7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

4.1%

top 11.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF Apache Software Foundation Apache CXF Oracle Commerce Guided Search +2 more

Timeline

PublishedNov 6

Latest updateMar 23

Description

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDapache/cxf3.3.0 — 3.3.4+1

▶CVEListV5apache_software_foundation/apache_cxfApache CXF versions before 3.3.4 and 3.2.11

▶NVDoracle/retail_order_broker15.0

▶NVDoracle/commerce_guided_search11.3.2

▶NVDoracle/flexcube_private_banking12.0.0, 12.1.0+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Potential DOS attack due to unrestricted attachment count in messages↗2019-11-08

▶

OSV

Potential DOS attack due to unrestricted attachment count in messages↗2019-11-08

▶

CVEList

CVE-2019-12406: Apache CXF before 3↗2019-11-06

▶

📋Vendor Advisories

Red Hat

cxf: does not restrict the number of message attachments↗2019-11-06

▶

💬Community

Bugzilla

CVE-2019-12406 cxf: does not restrict the number of message attachments↗2020-03-23

▶

Bugzilla

CVE-2019-12406 cxf: does not restrict the number of message attachments [fedora-all]↗2020-03-23

▶