Org.apache.cxf:cxf

This hub aggregates every CVE we track for Org.apache.cxf:cxf, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 12 most recently published vulnerabilities affecting Org.apache.cxf:cxf.

• CVE-2021-30468Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter7.5Jun 16, 2021
• CVE-2021-22696OAuth 2 authorization service vulnerable to DDos attacks7.5Apr 2, 2021
• CVE-2020-13954Apache CXF Reflected XSS in the services listing page via the styleSheetPath6.1Nov 12, 2020
• CVE-2019-17573By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, whic...6.1Jan 16, 2020
• CVE-2019-12423Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the servic...7.5Jan 16, 2020
• CVE-2019-12419Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it ...9.8Nov 6, 2019
• CVE-2019-12406Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malic...6.5Nov 6, 2019
• CVE-2012-0803The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty UsernameToken as part of a SOAP request.9.8Aug 8, 2017
• CVE-2012-5633The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers t...5.8Mar 12, 2013
• CVE-2012-2378Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which all...4.3Jan 5, 2013
• CVE-2012-2379Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML elemen...10.0Jan 3, 2013
• CVE-2012-3451Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action String that is incons...4.3Sep 24, 2012