Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-28752

Опубликовано: 14 мар. 2024
Источник: redhat
CVSS3: 7.4
EPSS Низкий

Описание

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

A server-side request forgery (SSRF) vulnerability was found in Apache CXF. This issue occurs in attacks on webservices that take at least one parameter of any type, and when Aegisdatabind is used. Users of other data bindings including the default databinding are not impacted.

Отчет

Red Hat rates this as an Important impact due to the fact this requires Aegis databind, which is not the default databinding for Apache CXF.

Меры по смягчению последствий

No mitigation is currently available for this vulnerability. Please make sure to update as the fixes become available.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Logging Subsystem for Red Hat OpenShiftcom.amazon.opendistroforelasticsearch-opendistro_securityNot affected
Red Hat Build of Keycloakcxf-coreNot affected
Red Hat Data Grid 8cxf-coreNot affected
Red Hat Fuse 7cxf-coreAffected
Red Hat JBoss Data Grid 7cxf-coreOut of support scope
Red Hat JBoss Enterprise Application Platform Expansion Packcxf-coreNot affected
Red Hat Process Automation 7cxf-coreNot affected
Red Hat Single Sign-On 7cxf-coreFix deferred
streams for Apache Kafkacxf-coreNot affected
Important: Red Hat JBoss Enterprise Application Platform 7.4.17 Security updatecxf-coreFixedRHSA-2024:356303.06.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-918
https://bugzilla.redhat.com/show_bug.cgi?id=2270732cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding

EPSS

Процентиль: 69%
0.0059
Низкий

7.4 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-28752

CVSS3: 9.3
nvd
почти 2 года назад

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

github логотип

GHSA-qmgx-j96g-4428

CVSS3: 9.3
github
почти 2 года назад

SSRF vulnerability using the Aegis DataBinding in Apache CXF

fstec логотип

BDU:2024-04736

CVSS3: 9.8
fstec
почти 2 года назад

Уязвимость каркаса для веб-сервисов Apache CXF, существующая из-за недостаточной проверки вводимых пользователем данных, позволяющая нарушителю осуществить SSRF-атаку

EPSS

Процентиль: 69%
0.0059
Низкий

7.4 High

CVSS3