CVE-2019-12406
- Source
- https://cve.org/CVERecord?id=CVE-2019-12406
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12406.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-12406
- Aliases
- Published
- 2019-11-06T21:15:11.180Z
- Modified
- 2026-04-10T04:15:30.664346Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
- References
-
- https://lists.apache.org/thread.html/r92238967ba2783d3ab5a483f2e17f5fdaa8ace98990f69f9e8e15de0%40%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rabc395b38acb7f2465bfbf0bc16d6e1e95720c89bea87abe8808eeea%40%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rb2a6dab1f781f55326543c56dc29ea677759439ddfeba920c83037e6%40%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rca465c9d1e1969281338522b76701c85a07abd045c494261137236e0%40%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- http://cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.asc
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
Affected packages
Git / github.com/apache/cxf
Affected versions
cxf-2.*
cxf-2.1
cxf-2.1.2
cxf-2.2
cxf-2.2.1
cxf-2.2.2
cxf-2.3.0
cxf-2.4.0
cxf-2.5.0
cxf-2.5.1
cxf-2.6.0
cxf-2.6.1
cxf-2.7.0
cxf-2.7.1
cxf-2.7.2
cxf-3.*
cxf-3.0.0
cxf-3.0.0-milestone2
cxf-3.1.0
cxf-3.1.1
cxf-3.1.2
cxf-3.1.3
cxf-3.1.4
cxf-3.2.0
cxf-3.2.1
cxf-3.2.10
cxf-3.2.2
cxf-3.2.3
cxf-3.2.4
cxf-3.2.5
cxf-3.2.6
cxf-3.2.7
cxf-3.2.8
cxf-3.2.9
cxf-3.3.0
cxf-3.3.1
cxf-3.3.2
cxf-3.3.3
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12406.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.3.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.1.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "15.0"
}
]
}
]