Описание
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | cxf | Out of support scope | ||
| Red Hat BPM Suite 6 | cxf-core | Out of support scope | ||
| Red Hat JBoss BRMS 6 | cxf | Out of support scope | ||
| Red Hat JBoss BRMS 6 | cxf-core | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 7 | cxf | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | cxf-core | Not affected | ||
| Red Hat JBoss Fuse 6 | cxf-core | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | cxf-core | Affected | ||
| Red Hat Single Sign-On 7 | cxf-core | Not affected | ||
| Red Hat support for Spring Boot | cxf-core | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
Potential DOS attack due to unrestricted attachment count in messages
Уязвимость каркаса для веб-сервисов Apache CXF, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
6.5 Medium
CVSS3