GHSA-6pff-fmh2-4mmf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6pff-fmh2-4mmf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-6pff-fmh2-4mmf/GHSA-6pff-fmh2-4mmf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6pff-fmh2-4mmf
- Aliases
- Published
- 2024-07-19T09:32:06Z
- Modified
- 2024-07-19T19:12:15.986303Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Apache CXF Denial of Service vulnerability in JOSE
- Details
-
An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2024-07-19T18:34:49Z", "severity": "MODERATE", "nvd_published_at": "2024-07-19T09:15:04Z", "cwe_ids": [ "CWE-20" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-32007
- https://github.com/apache/cxf/commit/20793d3fed2e73e2785a58ec5b47403306ae4a5c
- https://github.com/apache/cxf/commit/2d2baa3455db7439bf1ed4e00edfc5a7106edf7d
- https://github.com/apache/cxf/commit/d1d77c34c199c2c87ebcfe23e3c81dccfe2e2473
- https://github.com/apache/cxf
- https://lists.apache.org/thread/stwrgsr1llb73nkl16klv9vjqgmmx633
Affected packages
Maven
org.apache.cxf:cxf-rt-rs-security-jose
Package
- Name
- org.apache.cxf:cxf-rt-rs-security-jose
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.cxf/cxf-rt-rs-security-jose
org.apache.cxf:cxf-rt-rs-security-jose
Package
- Name
- org.apache.cxf:cxf-rt-rs-security-jose
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.cxf/cxf-rt-rs-security-jose
org.apache.cxf:cxf-rt-rs-security-jose
Package
- Name
- org.apache.cxf:cxf-rt-rs-security-jose
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.cxf/cxf-rt-rs-security-jose
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.5.9
Affected versions
3.*
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
3.2.11
3.2.12
3.2.13
3.2.14
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.3.8
3.3.9
3.3.10
3.3.11
3.3.12
3.3.13
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.4.9
3.4.10
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.5.6
3.5.7
3.5.8