org.apache.cxf:apache-cxf (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.cxf:apache-cxf, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (7)
CVE-2018-8039 — CVSS 8.1 (high): It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs"…
CVE-2021-22696 — CVSS 7.5 (high): CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0…
CVE-2021-30468 — CVSS 7.5 (high): A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results…
CVE-2019-12423 — CVSS 7.5 (high): Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be…
CVE-2019-12406 — CVSS 6.5 (medium): Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the…
CVE-2019-17573 — CVSS 6.1 (medium): By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is…
CVE-2020-13954 — CVSS 6.1 (medium): By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is…