CVE-2021-30468

CWE-400Uncontrolled Resource ConsumptionCWE-8357 documents6 sources
Severity
7.5HIGH
EPSS
1.9%
top 16.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Apache Software Foundation Apache CXFApache CXFApache Tomee+3 more
Timeline
PublishedJun 16
Latest updateApr 15

Description

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

NVDapache/cxf3.4.03.4.4+1
Mavenorg.apache.cxf:cxf3.4.03.4.4+1
Mavenorg.apache.cxf:apache-cxf3.4.03.4.4+1
CVEListV5apache_software_foundation/apache_cxfApache CXF3.4.4
NVDapache/tomee8.0.6

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

3
OSV
Infinite loop in Apache CFX2022-01-06
GHSA
Infinite loop in Apache CFX2022-01-06
CVEList
Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter2021-06-16

📋Vendor Advisories

3
Oracle
Oracle Oracle Communications Risk Matrix: Visualization, Mediation (Apache CXF) — CVE-2021-304682022-04-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Security (Apache CXF) — CVE-2021-304682021-10-15
Red Hat
CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter2021-06-16