Home > Vulnerability Database > CVE-2017-12624

Mend.io Vulnerability Database

CVE-2017-12624

Good to know:

Date: November 13, 2017

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

Language: Java

Severity Score

5.5

Related Resources (15)

Url: https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

Url: https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2018:2428

Url: https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2018:2425

Url: https://nvd.nist.gov/vuln/detail/CVE-2017-12624

Url: http://www.securitytracker.com/id/1040486

Url: https://access.redhat.com/errata/RHSA-2018:2423

Url: https://access.redhat.com/errata/RHSA-2018:2424

Url: https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

Url: https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

Url: https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

Url: http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc

Url: http://www.securityfocus.com/bid/101859

Url: https://www.mend.io/vulnerability-database/CVE-2017-12624

Severity Score

5.5

Weakness Type (CWE)

Data Handling

CWE-19

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version org.apache.cxf:cxf-core:3.1.15,3.2.2,org.apache.cxf:cxf-rt-frontend-jaxrs:3.1.15,3.2.2

Learn More

CVSS v3.1

Base Score:	5.5
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2017-12624

Good to know:

Date: November 13, 2017

Language: Java

Severity Score

Related Resources (15)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?