QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2017-12624

Back to search

CVE-2017-12624

Published: Nov 14, 2017

Modified: Sep 17, 2024

PUBLISHED

Description

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

VendorProductVersions

Apache Software Foundation

Apache CXF

affected
prior to 3.1.14
affected
3.2.x prior to 3.2.1

References

RHSA-2018:2428
vendor-advisory
x_refsource_REDHAT
1040486
vdb-entry
x_refsource_SECTRACK
RHSA-2018:2424
vendor-advisory
x_refsource_REDHAT
RHSA-2018:2423
vendor-advisory
x_refsource_REDHAT
RHSA-2018:2425
vendor-advisory
x_refsource_REDHAT
101859
vdb-entry
x_refsource_BID

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now