org.apache.cxf:cxf (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.cxf:cxf, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (12)
CVE-2012-2379 — CVSS 10.0 (critical): Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1…
CVE-2012-0803 — CVSS 9.8 (critical): The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty…
CVE-2019-12419 — CVSS 9.8 (critical): Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There…
CVE-2021-30468 — CVSS 7.5 (high): A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results…
CVE-2021-22696 — CVSS 7.5 (high): CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0…
CVE-2019-12423 — CVSS 7.5 (high): Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be…
CVE-2019-12406 — CVSS 6.5 (medium): Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the…
CVE-2019-17573 — CVSS 6.1 (medium): By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is…
CVE-2020-13954 — CVSS 6.1 (medium): By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is…
CVE-2012-5633 — CVSS 5.8 (medium): The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor…
CVE-2012-2378 — CVSS 4.3 (medium): Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a…
CVE-2012-3451 — CVSS 4.3 (medium): Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by…