GHSA-4mgg-fqfq-64hg

Source

https://github.com/advisories/GHSA-4mgg-fqfq-64hg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-4mgg-fqfq-64hg/GHSA-4mgg-fqfq-64hg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4mgg-fqfq-64hg

Aliases

CVE-2024-41172

Published

2024-07-19T09:32:06Z

Modified

2024-07-19T19:42:16.063904Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Apache CXF allows unrestricted memory consumption in CXF HTTP clients

Details

In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory

References

Affected packages

Maven / org.apache.cxf:cxf-rt-transports-http

Package

Name: org.apache.cxf:cxf-rt-transports-http; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-rt-transports-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.5

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

Maven / org.apache.cxf:cxf-rt-transports-http

Package

Name: org.apache.cxf:cxf-rt-transports-http; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-rt-transports-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.6.0

Fixed

3.6.4

Affected versions

3.*

3.6.0

3.6.1

3.6.2

3.6.3