CVE-2019-12406
- Source
- https://cve.org/CVERecord?id=CVE-2019-12406
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12406.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-12406
- Aliases
- Published
- 2019-11-06T21:15:11.180Z
- Modified
- 2026-04-02T01:35:56.790855Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
- References
-
- https://lists.apache.org/thread.html/r92238967ba2783d3ab5a483f2e17f5fdaa8ace98990f69f9e8e15de0%40%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rabc395b38acb7f2465bfbf0bc16d6e1e95720c89bea87abe8808eeea%40%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rb2a6dab1f781f55326543c56dc29ea677759439ddfeba920c83037e6%40%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rca465c9d1e1969281338522b76701c85a07abd045c494261137236e0%40%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- http://cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.asc
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
Affected packages
Git / github.com/apache/cxf
Affected versions
cxf-2.*
cxf-2.1
cxf-2.1.1
cxf-2.1.10
cxf-2.1.2
cxf-2.1.3
cxf-2.1.4
cxf-2.1.5
cxf-2.1.6
cxf-2.1.7
cxf-2.1.8
cxf-2.1.9
cxf-2.2
cxf-2.2.1
cxf-2.2.10
cxf-2.2.11
cxf-2.2.12
cxf-2.2.2
cxf-2.2.3
cxf-2.2.4
cxf-2.2.5
cxf-2.2.6
cxf-2.2.7
cxf-2.2.8
cxf-2.2.9
cxf-2.3.0
cxf-2.3.1
cxf-2.3.10
cxf-2.3.11
cxf-2.3.2
cxf-2.3.3
cxf-2.3.4
cxf-2.3.5
cxf-2.3.6
cxf-2.3.7
cxf-2.3.8
cxf-2.3.9
cxf-2.4.0
cxf-2.4.1
cxf-2.4.10
cxf-2.4.2
cxf-2.4.3
cxf-2.4.4
cxf-2.4.5
cxf-2.4.6
cxf-2.4.7
cxf-2.4.8
cxf-2.4.9
cxf-2.5.0
cxf-2.5.1
cxf-2.5.10
cxf-2.5.11
cxf-2.5.2
cxf-2.5.3
cxf-2.5.4
cxf-2.5.5
cxf-2.5.6
cxf-2.5.7
cxf-2.5.8
cxf-2.5.9
cxf-2.6.0
cxf-2.6.1
cxf-2.6.10
cxf-2.6.11
cxf-2.6.12
cxf-2.6.13
cxf-2.6.14
cxf-2.6.15
cxf-2.6.16
cxf-2.6.17
cxf-2.6.2
cxf-2.6.3
cxf-2.6.4
cxf-2.6.5
cxf-2.6.6
cxf-2.6.7
cxf-2.6.8
cxf-2.6.9
cxf-2.7.0
cxf-2.7.1
cxf-2.7.10
cxf-2.7.11
cxf-2.7.12
cxf-2.7.13
cxf-2.7.14
cxf-2.7.15
cxf-2.7.16
cxf-2.7.17
cxf-2.7.18
cxf-2.7.2
cxf-2.7.3
cxf-2.7.4
cxf-2.7.5
cxf-2.7.6
cxf-2.7.7
cxf-2.7.8
cxf-2.7.9
cxf-3.*
cxf-3.0.0
cxf-3.0.0-milestone1
cxf-3.0.0-milestone2
cxf-3.0.1
cxf-3.0.10
cxf-3.0.11
cxf-3.0.12
cxf-3.0.13
cxf-3.0.14
cxf-3.0.15
cxf-3.0.16
cxf-3.0.2
cxf-3.0.3
cxf-3.0.4
cxf-3.0.5
cxf-3.0.6
cxf-3.0.7
cxf-3.0.8
cxf-3.0.9
cxf-3.1.0
cxf-3.1.1
cxf-3.1.10
cxf-3.1.11
cxf-3.1.12
cxf-3.1.13
cxf-3.1.14
cxf-3.1.15
cxf-3.1.16
cxf-3.1.17
cxf-3.1.18
cxf-3.1.2
cxf-3.1.3
cxf-3.1.4
cxf-3.1.5
cxf-3.1.6
cxf-3.1.7
cxf-3.1.8
cxf-3.1.9
cxf-3.2.0
cxf-3.2.1
cxf-3.2.10
cxf-3.2.2
cxf-3.2.3
cxf-3.2.4
cxf-3.2.5
cxf-3.2.6
cxf-3.2.7
cxf-3.2.8
cxf-3.2.9
cxf-3.3.0
cxf-3.3.1
cxf-3.3.2
cxf-3.3.3
cxf-3.4.0
cxf-3.4.1
cxf-3.4.10
cxf-3.4.2
cxf-3.4.3
cxf-3.4.4
cxf-3.4.5
cxf-3.4.6
cxf-3.4.7
cxf-3.4.8
cxf-3.4.9
cxf-3.5.0
cxf-3.5.1
cxf-3.5.10
cxf-3.5.11
cxf-3.5.2
cxf-3.5.3
cxf-3.5.4
cxf-3.5.5
cxf-3.5.6
cxf-3.5.7
cxf-3.5.8
cxf-3.5.9
cxf-3.6.0
cxf-3.6.1
cxf-3.6.10
cxf-3.6.2
cxf-3.6.3
cxf-3.6.4
cxf-3.6.5
cxf-3.6.6
cxf-3.6.7
cxf-3.6.8
cxf-3.6.9
cxf-4.*
cxf-4.0.0
cxf-4.0.1
cxf-4.0.10
cxf-4.0.11
cxf-4.0.2
cxf-4.0.3
cxf-4.0.4
cxf-4.0.5
cxf-4.0.6
cxf-4.0.7
cxf-4.0.8
cxf-4.0.9
cxf-4.1.0
cxf-4.1.1
cxf-4.1.2
cxf-4.1.3
cxf-4.1.4
cxf-4.1.5
cxf-4.2.0
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12406.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.3.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.1.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "15.0"
}
]
}
]