Описание
Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | cxf | Not affected | ||
| Red Hat Fuse 7 | cxf | Affected | ||
| Red Hat JBoss BRMS 5 | cxf | Not affected | ||
| Red Hat JBoss BRMS 6 | cxf | Not affected | ||
| Red Hat JBoss Data Grid 6 | cxf | Not affected | ||
| Red Hat JBoss Data Virtualization 6 | cxf | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | cxf | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 6 | cxf | Will not fix | ||
| Red Hat JBoss Fuse 6 | cxf | Affected | ||
| Red Hat JBoss Fuse Integration Service 2 | cxf | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".
EPSS
5.3 Medium
CVSS3