GHSA-254q-rp36-v2m8

Source

https://github.com/advisories/GHSA-254q-rp36-v2m8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-254q-rp36-v2m8/GHSA-254q-rp36-v2m8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-254q-rp36-v2m8

Aliases

CVE-2013-2160

Published

2022-05-13T01:09:20Z

Modified

2024-12-05T05:42:24.331228Z

Summary

Missing XML Validation in Apache CXF

Details

The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-112"
    ],
    "nvd_published_at": "2013-08-19T23:55:00Z",
    "github_reviewed_at": "2022-07-08T19:08:08Z"
}

References

Affected packages

Maven

org.apache.cxf:cxf-rt-frontend-jaxrs

Package

Name: org.apache.cxf:cxf-rt-frontend-jaxrs; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxrs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.5.0

Fixed

2.5.10

Affected versions

2.*

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.5.9

org.apache.cxf:cxf-rt-frontend-jaxrs

Package

Name: org.apache.cxf:cxf-rt-frontend-jaxrs; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxrs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.0

Fixed

2.6.7

Affected versions

2.*

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

org.apache.cxf:cxf-rt-frontend-jaxrs

Package

Name: org.apache.cxf:cxf-rt-frontend-jaxrs; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxrs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0

Fixed

2.7.4

Affected versions

2.*

2.7.0

2.7.1

2.7.2

2.7.3