CVE-2024-28752 Apache CXF SSRF Vulnerability using the Aegis databinding

2024-03-1510:27:30

CWE-918

apache

github.com

cve-2024-28752

apache cxf

ssrf

vulnerability

aegis databinding

AI Score

6.6

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

CNA Affected

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache CXF",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "4.0.4, 3.6.3, 3.5.8",
        "versionType": "semver"
      }
    ],
    "packageName": "org.apache.cxf.aegis",
    "defaultStatus": "unaffected"
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*"
    ],
    "vendor": "netapp",
    "product": "oncommand_workflow_automation",
    "versions": [
      {
        "status": "affected",
        "version": "0"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*"
    ],
    "vendor": "apache",
    "product": "cxf",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "4.0.4",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "0",
        "lessThan": "3.6.3",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "0",
        "lessThan": "3.5.8",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]