Skip to content

Apache CXF: SSRF vulnerability via WADL stylesheet parameter

Moderate severity GitHub Reviewed Published Jul 19, 2024 to the GitHub Advisory Database • Updated Aug 2, 2024

Package

maven org.apache.cxf:cxf-rt-rs-service-description (Maven)

Affected versions

>= 4.0.0, < 4.0.5
>= 3.6.0, < 3.6.4
< 3.5.9

Patched versions

4.0.5
3.6.4
3.5.9

Description

A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.

References

Published by the National Vulnerability Database Jul 19, 2024
Published to the GitHub Advisory Database Jul 19, 2024
Reviewed Jul 19, 2024
Last updated Aug 2, 2024

Severity

Moderate

EPSS score

0.160%
(53rd percentile)

Weaknesses

CVE ID

CVE-2024-29736

GHSA ID

GHSA-5m3j-pxh7-455p

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.